Superside Security

We build security into how we run our platform, develop software, and support customers, so your data stays protected throughout the lifecycle of our services.

Compliance & Assurance

SOC 2 Type II (annual audit)

• Superside completes a SOC 2 Type II audit annually, performed by a trusted third-party, with continuous control monitoring through Drata.

Security Controls & Operations

Infrastructure

• Superside’s production and staging environments run in two separate Amazon Web Services (AWS) regions and Virtual Private Cloud (VPC) networks, and Superside allows only a few selected personnel access to the production environment.

Endpoint protection & malware scanning

• Files and assets stored in S3 are scanned with antivirus tools.
• Superside Personnel are required to maintain active antivirus protection on their work devices.

Network protection & intrusion detection

• Superside uses AWS WAF and Guard Duty for file integrity (host) and network intrusion detection (IDS).

Vulnerability management & testing

• Systems and applications are patched regularly
• Superside performs automated vulnerability testing via Intruder.io.
• Superside engages with a third-party to conduct a security assessment (penetration test) on an annual basis.
• Automated source code analysis helps identify security defects before code reaches production

Monitoring, logging & detection

• Applications and systems generate granular logs to support investigations (e.g., successful/failed logins and sensitive configuration changes).
• Audit logs are centrally stored and retained.
• Production environments are monitored continuously (24/7) for threats such as malicious activity, denial-of-service, and intrusion attempts.
• Superside uses Datadog to review and correlate log and behavioral events.
• Log data is retained for at least one year with immediate access availability.

People & Governance

Security Training

• Superside requires all personnel to complete Security & Privacy Awareness training as part of new hire onboarding and annually thereafter, including techniques to recognize phishing attempts.

Security Governance

• Superside’s Security Steering Committee defines and communicates processes that control and restrict access to Superside instances containing customer data.
• These policies cover key lifecycle areas including data classification/retention, security control selection and implementation, access authorization and termination, role management, backup/offline storage, incident response/responsible disclosure, configuration restrictions, virus detection/prevention, and secure development/change processes.

Third Party Management

• Superside has documented processes in place to identify and manage cyber supply chain risks across third parties
• Superside’s agreements with third parties address confidentiality, audit, security, and privacy, including but not limited to, incident response and notification, ongoing monitoring, and secure disposal of customer data.

Secure development & change management

Service Lifecycle

• Superside follows a formal Software Development Life Cycle (SDLC) policy, reviewed and updated on an annual basis.

Change control

• Superside’s operational change control program is documented, approved by management, communicated to relevant stakeholders, and is reviewed and updated on an annual basis.
• Superside notifies customers in advance of changes that may impact the service.
• Security requirements are specified and implemented when systems are introduced, upgraded, or enhanced.
• Production changes require approval based on change description, impact, test results, and back-out plan.

Data Protection & Privacy

Network Security & encryption in transit

• An API gateway shields the application backend, and we encrypt all communication over HTTPS.
• Superside uses network segmentation to isolate critical and sensitive systems from less sensitive systems.
• Connections outside Superside networks use HTTPS only (no HTTP).
• All traffic is encrypted in transit using TLS 1.3 with strong cipher suites. Post-quantum hybrid key exchange is supported for compatible clients. TLS certificates are automatically managed and rotated via AWS ACM.

Encryption at rest and data handling

• Data is encrypted using AES-256
• Test environments use sanitized data
• Superside has policies and processes in place to support timely, secure disposal of customer data.

Data Privacy

• Superside complies with applicable data protection and privacy laws, including the GDPR and the CCPA.
• Our policies, tools and procedures are built to protect your data and help meet your privacy obligations
  • To learn more read Superside’s Privacy Policy https://www.superside.com/privacy

Identity & Access Management

• Access to systems that transmit, process, or store sensitive and customer data is first approved as part of onboarding/offboarding workflows.
• Superside deprovisions, revokes &/or modifies user access to relevant systems and tools upon changes in status for personnel, contractors, customers, partners, or relevant third parties.
• Secure session management is implemented
• Source code access is restricted to authorized personnel
• Superside has policies and procedures in place to govern identity storage and authentication access
• There is a segregation of duties between personnel responsible for key management duties and those responsible for normal operational duties
• Key management policies bind keys to identifiable owners through unique personal accounts
• Superside changes shared data encryption keys at the end of a defined life cycle period, when keys are compromised, or upon termination/transfer of personnel with access to the keys.
• Superside retains access logs for one year
• We support authentication via Google using OAuth 2.0, and provide Single Sign-On (SSO) integration through OIDC and SAML 2.0.

Role Based Access Control

• Access (logical and physical) is provisioned only after documented approval by appropriate management.
• Least-privilege by default: Personnel can access only the information they need to perform their job. Role eligibility is based on authority, responsibility, and job competency.
• Ongoing reviews: Role privileges and role assignments are reviewed quarterly for users with elevated privileges to confirm access remains appropriate as responsibilities and business needs change.

Customer Access

• Customers access Superspace through a web browser. TLS 1.2 or higher is required to access the system. Users authenticate access through username and password or through their corporate SSO identity provider.
• Superside customers receive data through the Superside platform, electronic mail or third-party services that the customer has requested. Any sensitive data to be transmitted over public networks by Superside to a customer requires encryption or standard secure transmission method.

Incident Response

• Superside maintains an Incident Response Plan that details how the Security team team triages, investigates, remediates, and reports on security incidents.

Business Continuity & Backups

Business continuity & disaster recovery

• Superside’s Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are approved, communicated, kept up to date, and tested annually

Backup management

• Backups are encrypted at rest (AES256GCM)
• Backups are stored across multiple AWS availability zones and regions
• Backup/redundancy mechanisms are tested annually
• Multi-region recovery automation is in place to recover within minutes.

Bug Bounty

Review our Bug Bounty Program Policy here.