Creative design services
Ad creative
Eye-catching designs that perform
Social media creative
Engaging assets for all platforms
Presentation design
Captivating slides that tell your story
Illustration design
Visual storytelling for your brand
Branding services
Expertise & custom design services
Email creation
Click-worthy emails that drive engagement
Web design
Stunning websites built to engage
eBooks & report design
Your digital content supercharged
+3 more
Specialized production services
Video production
Effortless video production at scale
Motion design
For websites, ads, and presentations
3D & AR design
Innovative solutions for 3D design services
AI Services
AI enhanced creative
Human brilliance powered by AI
AI consulting
Maximize AI with tailored strategies
Marketing services
Marketing strategy
New
Grow your brand with expert consultants
Our work
About us
Our mission, goals and values
Our people
Meet your dedicated team
Learning Center
Events & Summits
Our upcoming events and recordings
Guides & Quizzes
Insights from marketing leaders
Video library
Superside’s latest videos
Playbooks
Quick ways to step up your game
Blog
7 Expert-Backed Social Creative Performance Strategies
Responsible AI: What Enterprise Brands Need To Know
Customer Stories
How Shopify Built a Growth Workshop to Unlock Rapid Experimentation
How Amazon Delivers Creative Assets Faster Without Increasing Headcount
Pricing
Enterprise
Sign in

Superside Security

SOC 2 Type 2 Certified

  • SOC2 Type 2 audit is completed annually by Schneider Downs
  • Active monitoring through Drata

Antivirus Deployment

  • All assets/files are scanned on S3 by an antivirus
  • All personnel have to certify to follow SOC-2 and comply to having an antivirus active

File integrity (host) and network intrusion detection (IDS) tools implemented

  • AWS WAF, Guard Duty

Internal and External Vulnerability scans

  • All systems and application are patched regularly
  • intruder.io automatic vulnerability testing
  • Drata scan for SOC-2
  • Bugcrowd Penetration test yearly
  • Automated source code analysis tool to detect security defects in code prior to production

Personnel Training

  • All personnel are required to attend annual security awareness training, including techniques to recognize phishing attempts
  • Developers have to attend formal software security training

Third Party Management

  • Documented and managed processes in place to identify and manage cyber supply chain risks (i.e. ensuring that software and hardware components used, as part of delivering a service or product, do not present a risk)
  • Agreements with third parties address confidentiality, audit, security, and privacy, including but not limited to, incident response and notification, ongoing monitoring, return of data, and secure disposal of client scoped data

System Monitoring

  • Applications and systems provide granular and comprehensive logging
  • Sufficient detail is contained in the infrastructure, operating system, and application logs to support security incident investigations (for example, successful and failed login attempts, and changes to sensitive configuration settings and files)
  • Audit logs are centrally stored and retained
  • Production data processing environments are monitored continuously (24x7) for security threats, malicious events, denial of service, intrusion detection
  • Automated system (Datadog) is in place to review and correlate log and/or behavioral events
  • Log data retained for at least one year with immediate access availability

System Design Documentation

  • Superside is currently in the process of mapping out a more complete understand of data flows and processes

Service Lifecycle:

  • There is a formal Software Development Life Cycle (SDLC) process
  • There a documented change management/change control process for applications with Scoped Data

Security Governance

  • Superside maintains an information security policy that has been approved by management, communicated to appropriate constituents, and updated regularly
  • Information Security Policy is reviewed at least once a year

Network Operations

  • Application backend is shielded by an API gateway, all communication is https encrypted (AES256)
  • Network technologies are used to isolate critical and sensitive systems into network segments separate from those with less sensitive systems

Incident Response

  • Superside has a documented security incident response plan
  • The Incident Response Plan includes a process for assessing and executing client and third party notification requirements (legal, regulatory and contractual)
  • Superside has a predefined communication channels for workforce personnel and external business partners to report incidents in a timely manner adhering to applicable legal, statutory, or regulatory compliance obligations

PII Data Privacy

Identity & Access Management

  • During the onboarding and offboarding process, we request and receive approval for access to systems transmitting, processing or storing Scoped Systems and Data
  • Superside deprovisions, revocates &/or modifies user access to the organizations systems, information assets, and data implemented upon any change in status of employees, contractors, customers, business partners, or involved third parties
  • Secure session management is implemented
  • Controls are in place to prevent unauthorized access to our application, program, or object source code, and is restricted to authorized personnel only
  • Policies and procedures are established for permissible storage and access of identities used for authentication
  • Platform and data appropriate encryption is implemented - AES-256 encryption algorithm
  • There is a segregation of duties between personnel responsible for key management duties and those responsible for normal operational duties
  • key management policies bind keys to identifiable owners through unique personal accounts
  • Shared data encryption keys are changed at the end of a defined life cycle period, when keys are compromised, or upon termination/transfer of personnel with access to the keys
  • Access logs are retained for 1 year
  • Single Sign On (SAML) can be provided

Data Management

  • All connections outside our networks use https, no http allowed
  • AWS Application Load Balancer ELBSecurity Policy-TLS-1-2-2017-01
  • Web Server Certificates are handled in AWS ACM
  • Scoped Data is encrypted with AES-256 encryption algorithm
  • All data used on the test environments is sanitized before usage
  • Policy and processes are in place to ensure the timely secure disposal of Scoped Data on all systems including third party systems

Change Management

  • Operational change management/Change Control policy / program has been documented, approved by management, communicated to appropriate Constituents and assigned an owner to maintain and review the policy
  • The change control process includes a formal process to ensure clients are notified prior to changes being made which may impact their service
  • Information security requirements are specified and implemented when new systems are introduced, upgraded, &/or enhanced
  • The change control process requires approval from authorized personnel based on change description, impact of change, test results, and back-out plan prior to changes being implemented in the production environment

Business Continuity

  • Business Continuity Plan (BCP) has been approved by management, communicated to appropriate constituents, and is updated regularly and is tested once a year
  • Disaster Recovery Plan (DRP) has been approved by management, communicated to appropriate constituents, and is updated regularly
  • Operational change management/Change Control policy or program has been documented, approved by management, communicated to appropriate Constituents and assigned an owner to maintain and review the policy

Back Up Management

  • Backups are encrypted at rest (AES256GCM) and follow SOC-2 requirements
  • We locate backups in multiple AWS availability zones and regions
  • Backup or redundancy mechanisms are tested once a year
  • Backups multiple AWS regions are automation to recover within minutes

Check our Bug Bounty Program Policy here.