Security
Information Security Policy
How SuperScale protects its information assets and ensures continuity of service for clients, employees, and partners.
Future at SuperScale is secured
As a modern, forward-looking business, SuperScale s.r.o. recognises at senior level the need to ensure that its business operates smoothly and without interruption for the benefit of its employees, customers, shareholders and other stakeholders.
Senior management recognizes the importance of information security to protect information and business assets. In order to provide such a level of continuous operation, SuperScale s.r.o. has developed an Information Security Management System (ISMS) in line with international standard ISO/IEC 27001 and an independent cybersecurity reputation risk management solution provided by CyberGRX.
The operation of this ISMS has many benefits for the business, including:
- Protection of revenue streams and company profitability
- Ensuring the supply of goods and services to customers
- Maintenance and enhancement of shareholder value
- Compliance with legal and regulatory requirements
- Reducing risks to acceptable levels and effective process integration
You can check our ISO 27001 certification here.
Security basics we follow
Following the ISO 27001 standard and risk management check by CyberGRX, here are the security basics we follow to improve the trust our clients can have in our products but also the security feelings of our employees and suppliers.
Cloud infrastructure & backups
To ensure adequate business continuity of our services, we rely on well-tested and well-proven cloud security providers such as Google Cloud Platform and Digital Ocean. In addition to assured resiliency by cloud service providers, we perform server image backups to ensure we will not lose data necessary to provide our services.
Encryption in transit and at rest
All communication channels with our servers and services are encrypted using TLS with configuration best practices. We make sure data in transit is encrypted and that up-to-date secure encryption methods are used.
Data resides in MongoDB databases; documents reside in Google Workspace with adequate backup frequency to ensure we will not lose data necessary to provide our services.
Authentication & access control
For secure authentication we utilize integration with Google SSO SAML and enforce 2FA authentication where it is technically possible. We never store password and authentication information in clear text. Access to information and files is strictly set up as per our control access principles of role-based access control, principle of least privilege and need-to-know.
Every 3 months we review accesses and permissions to ensure only authorized people have an adequate level of access. Employees use a password management system to enforce strong and complex password policy.
Secure development
All our developers are made aware of best practices and minimum-security requirements in secure development. Code we write is double-checked and analysed for known vulnerabilities. Various functionality and security tests are run before each new code deployment. Every year we engage external subject-matter experts to perform their independent penetration testing of our application.
Endpoint security
All our computers and work mobile devices have drives encrypted, and run with up-to-date NextGen Antivirus solution including enhanced functionality such as MDM, HIPS and EDR. Mobile devices are authorized and under our visibility by Google Endpoint management tool.
Monitoring & threat intelligence
We engaged external subject-matter experts to provide us with SOC services, advanced monitoring including SIEM services, periodic vulnerability scanning of our infrastructure and threat intelligence reporting to ensure our security posture is up-to-date in today's ever-changing world where new vulnerabilities and threats are discovered every week.
Governance and ownership
Commitment to the delivery of information security extends to senior levels of the organization and is demonstrated through the information security policy and strategy, and the provision of appropriate resources to continuously improve the ISMS program.
We encourage all employees and other stakeholders in our business to ensure that they play their part in delivering our information security objectives. It is the responsibility of every employee to follow principles of ISMS policies and security awareness trainings to ensure information and processes are protected in respect of desired level of confidentiality, availability and integrity.
The company established a security steering committee board that participates in periodic management review meetings to oversee the execution and effectiveness of the ISMS program — asset owners responsible for the protection of the assets under their administration and the information security officer (CISO).
What's next
Main goals for the next period are to continuously monitor the risks to reduce any identified ones to an acceptable level, and to enhance our established and executed ISMS program to the new ISO 27001:2022 version when it is officially released.
Yours sincerely,
Management board