Product Security

The design services of Superside are subject to the security and privacy requirements of relevant regulations, as well as state privacy security laws and regulations in the jurisdictions in which Superside operates.

Security commitments that Superside strive towards are standardized and include, but are not limited to, the following:

  • Customer data and assets are always encrypted at rest and in transit.
  • The platform is housed in cloud environments that undergo annual System and Organization Controls (SOC) 2 Type 2 examinations.
  • The platform is continuously monitored and tested for any security vulnerabilities or unexpected changes.
  • The platform security enables segregation of responsibilities and application functional access.
  • Superside provides access to customer data on a need-to-know basis only. All personnel access to the platform is audited to assure that access levels are never-out-of-date.
  • Superside personnel authorized to work with customers and their data are trained to handle data properly and never expose the data via insecure practices.

Superside establishes operational requirements that support the achievement of security commitments, relevant laws and regulations, and other system requirements. Such requirements are communicated in Superside’s system policies and procedures, system design documentation, and contracts with customers.


Superside’s production and staging environments run in two separate Amazon Web Services (AWS) regions and Virtual Private Cloud (VPC) networks, and Superside allows only a few selected personnel access to the production environment.

Processes and Procedures

The Superside Security Steering Committee (SSC) has developed and communicated processes that control and restrict access to Superside instances containing customer data. Review of these processes and controls are conducted by the SSC, and changes are approved by the committee prior to implementation.

These processes are documented in Superside policies and include the following key security life cycle areas:

  • Data classification and retention (data at rest, in motion, and output)
  • Categorization of information
  • Assessment of the business impact resulting from proposed security approaches
  • Selection, documentation, and implementation of security controls
  • Performance of annual management self-assessments to assess security controls
  • Authorization, changes to, and termination of information system access
  • Monitoring security controls
  • Management of access and roles
  • Maintenance and support of the security system and necessary back-up and offline storage
  • Incident response and responsible disclosure
  • Maintenance of restricted access to system configurations, super user functionality, master passwords, powerful utilities, and security devices (for example, firewalls)
  • Virus Detection and Prevention
  • System Development Life Cycle and Change Management Processes


Data, as defined by Superside, constitutes the following:

  • Customer files and assets.
  • All transactional data created during a relationship with Superside.
  • Logs and usage information

Superside projects are initiated by customers by either submitting a project through the Superside web application or by sending an email to their Superside project manager. Customer files and assets, if needed, are either submitted with the project or attached to incoming emails. While Superside is working on a project, they give asset and project access to the necessary parties (the customer’s project managers, designers and Superside admin users) to be able to deliver final adjusted assets. Iterations are uploaded to Superspace and made available to the customer for feedback. Once a project is completed, all involved Superside parties are instructed to delete the customer files from their local devices, but files remain available to customers and involved Superside personnel through Superspace, so they can be used later.

Superspace interactions can lead to transactional or usage data being stored in Superside’s relational database or data platform.

Change Management

Superside has a formalized change management process in place, which requires identification and recording of significant changes, assessment of risk and potential effect of such changes, approval of proposed changes and testing of changes to the customer facing instances. This is done through Superside’s Product Development process.

Proposed changes are classified, recorded and approved. Issues are tracked. All changes must be approved by at least one additional engineer before being merged; and Quality Assurance (QA) is done either in a separate staging environment or in production through the use of feature flags. QA is the responsibility of the Product Development team responsible for the feature being released. Superside also undergoes a yearly external third-party security penetration test to help identify any potential issues.

Firewalls and Perimeter Security

All Superside Application Load Balancer instances and VPCs are deployed in the AWS Cloud which provides firewall and perimeter security. Default configuration in all AWS Cloud platform instances is to restrict all traffic. Only the ports and protocols necessary to run the platform are enabled.

Firewall settings are reviewed periodically to assure that all settings continue to meet the platform requirements. Superside also runs a periodic penetration test on the production instances, which among other things, reports on any changes to perimeter security. AWS provides multiple redundant layers to the network and firewall and provides native intrusion and prevention services.

Data Transmission

Customers access Superspace through a web browser. TLS 1.2 or higher is required to access the system. Users authenticate access through username and password or through their corporate SSO identity provider.

Superside customers receive data through the Superside platform, electronic mail or third-party services that the customer has requested. Any sensitive data to be transmitted over public networks by Superside to a customer requires encryption or standard secure transmission method.

System Monitoring

The Superside Engineering team uses a variety of security utilities to identify and detect possible security threats and incidents. These utilities include, but are not limited to, firewall notifications, intrusion detection system (IDS) or intrusion prevention system (IPS) alerts, vulnerability assessment reports, and operating system event logs. These alerts and

notifications are reviewed daily by the Engineering team. Additionally, the Engineering team has developed and will review the following alerts as deemed necessary.

  • Failed object level access.
  • Daily IDS or IPS attacks.
  • Critical IDS or IPS alerts.
  • Devices not reporting in the past 24 hours.
  • Failed log-in detail.
  • Firewall configuration changes.
  • System shutdowns and restarts.

Security events requiring further investigation are tracked using a help desk ticket and monitored until resolved.

Superside is a revolutionary way for businesses to get good design done at scale.Trusted by 450+ ambitious companies, Superside makes design hassle-free for marketing and creative teams. By combining the top 1% of creative talent from around the world with purpose-built technology and the rigor of design ops, Superside helps ambitious brands grow faster. Since inception, Superside has been a fully remote company, with more than 700 team members working across 57 countries and 13 timezones.
© 2023 Superside. All rights reserved.