Security

As a modern, forward-looking business, SuperScale s.r.o. recognises at senior level the need to ensure that its business operates smoothly and without interruption for the benefit of its employees, customers, shareholders and other stakeholders.

Senior management recognizes the importance of information security to protect information and business assets and in order to provide such a level of continuous operation, SuperScale s.r.o. has developed an Information Security Management System (ISMS) in line with international standard ISO/IEC 27001 and independent cybersecurity reputation risk management solution provided by CyberGRX.

The operation of this ISMS has many benefits for the business, including:

• Protection of revenue streams and company profitability
• Ensuring the supply of goods and services to customers
• Maintenance and enhancement of shareholder value
• Compliance with legal and regulatory requirements
• Reducing risks to acceptable level and effective process integration

Following the ISO 27001 standard and risk management check by CyberGRX, here are the security basics we follow to improve the trust our clients can have in our products but also the security feelings of our employees and suppliers.

To ensure adequate business continuity of our services, we rely on well-tested and well-proven cloud security providers such as Google Cloud Platform or Digital Ocean. In addition to assured resiliency by cloud service providers, we perform server image backups to ensure we will not loose data necessary to provider our services.

All communications channels with our servers and services are encrypted using TLS with configuration best practices, we make sure data in transit are encrypted and up to date secure encryption methods are used.

Data reside in MongoDB databases; documents reside in Google Workspace with adequate backup frequency to ensure we will not loose data necessary to provide our services.

For secure authentication we utilize integration with Google SSO SAML and enforce 2FA authentication where it is technically possible. We never store password and authentication information in clear text. Access to information and files is strictly setup as per our control access principles of role-based access control, principle of least privilege and need to know. Every 3 months we review accesses and permissions to ensure only authorized people have an adequate level of access. Employees use password management system to enforce strong and complex password policy.

All our developers are made aware of best practices and minimum-security requirements in secure development, code we write is double checked and analysed for known vulnerabilities. Various functionality and security tests are run before each new code deployment. Every year we engage external subject matter experts to perform their independent penetration testing of our application.

All our computers and work mobile devices have drives encrypted, and run with up-to-date NextGen Antivirus solution including enhanced functionality such as MDM, HIPS and EDR. Mobile devices are authorized and under our visibility by Google Endpoint management tool.

We engaged external subject matter experts to provide us with SOC services, advanced monitoring including SIEM services, periodic vulnerability scanning of our infrastructure and threat intelligence reporting to ensure security posture is up-to-date in today’s ever-changing world where new vulnerabilities and threats are discovered every week.

Commitment to the delivery of information security extends to senior levels of the organization and is demonstrated through the information security policy and strategy, and the provision of appropriate resources to continuously improve the ISMS program.

We encourage all employees and other stakeholders in our business to ensure that they play their part in delivering our information security objectives. It is responsibility of every employee to follow principles of ISMS policies and security awareness trainings to ensure information and processes are protected in respect of desired level of confidentiality, availability and integrity.

Company established security steering committee board that participate on periodic management review meetings to oversee the execution and effectiveness of ISMS program, asset owners responsible for the protection of the assets under their administration and the information security officer (CISO).

Main goals for next period is to continuously monitor the risks to reduce any identified ones to an acceptable level and to enhance our established and executed ISMS program to new ISO27001:2022 version when it is officially released.

Yours sincerely,

Management board