The design services of Superside are subject to the security and privacy requirements of relevant regulations, as well as state privacy security laws and regulations in the jurisdictions in which Superside operates.
Security commitments that Superside strive towards are standardized and include, but are not limited to, the following:
Superside establishes operational requirements that support the achievement of security commitments, relevant laws and regulations, and other system requirements. Such requirements are communicated in Superside’s system policies and procedures, system design documentation, and contracts with customers.
Superside’s production and staging environments run in two separate Amazon Web Services (AWS) regions and Virtual Private Cloud (VPC) networks, and Superside allows only a few selected personnel access to the production environment.
Processes and Procedures
The Superside Security Steering Committee (SSC) has developed and communicated processes that control and restrict access to Superside instances containing customer data. Review of these processes and controls are conducted by the SSC, and changes are approved by the committee prior to implementation.
These processes are documented in Superside policies and include the following key security life cycle areas:
Data, as defined by Superside, constitutes the following:
Superside projects are initiated by customers by either submitting a project through the Superside web application or by sending an email to their Superside project manager. Customer files and assets, if needed, are either submitted with the project or attached to incoming emails. While Superside is working on a project, they give asset and project access to the necessary parties (the customer’s project managers, designers and Superside admin users) to be able to deliver final adjusted assets. Iterations are uploaded to Superspace and made available to the customer for feedback. Once a project is completed, all involved Superside parties are instructed to delete the customer files from their local devices, but files remain available to customers and involved Superside personnel through Superspace, so they can be used later.
Superspace interactions can lead to transactional or usage data being stored in Superside’s relational database or data platform.
Superside has a formalized change management process in place, which requires identification and recording of significant changes, assessment of risk and potential effect of such changes, approval of proposed changes and testing of changes to the customer facing instances. This is done through Superside’s Product Development process.
Proposed changes are classified, recorded and approved. Issues are tracked. All changes must be approved by at least one additional engineer before being merged; and Quality Assurance (QA) is done either in a separate staging environment or in production through the use of feature flags. QA is the responsibility of the Product Development team responsible for the feature being released. Superside also undergoes a yearly external third-party security penetration test to help identify any potential issues.
Firewalls and Perimeter Security
All Superside Application Load Balancer instances and VPCs are deployed in the AWS Cloud which provides firewall and perimeter security. Default configuration in all AWS Cloud platform instances is to restrict all traffic. Only the ports and protocols necessary to run the platform are enabled.
Firewall settings are reviewed periodically to assure that all settings continue to meet the platform requirements. Superside also runs a periodic penetration test on the production instances, which among other things, reports on any changes to perimeter security. AWS provides multiple redundant layers to the network and firewall and provides native intrusion and prevention services.
Customers access Superspace through a web browser. TLS 1.2 or higher is required to access the system. Users authenticate access through username and password or through their corporate SSO identity provider.
Superside customers receive data through the Superside platform, electronic mail or third-party services that the customer has requested. Any sensitive data to be transmitted over public networks by Superside to a customer requires encryption or standard secure transmission method.
The Superside Engineering team uses a variety of security utilities to identify and detect possible security threats and incidents. These utilities include, but are not limited to, firewall notifications, intrusion detection system (IDS) or intrusion prevention system (IPS) alerts, vulnerability assessment reports, and operating system event logs. These alerts and
notifications are reviewed daily by the Engineering team. Additionally, the Engineering team has developed and will review the following alerts as deemed necessary.
Security events requiring further investigation are tracked using a help desk ticket and monitored until resolved.