Security

At SuperOps, we know that our customers rely on us to run their business processes and keep their data secure. Therefore, we take our responsibilities to our customers seriously — the security and reliability of the software, systems, and data that make up our application are our top priority.

Securing your data

We’ve put our commitment to information security on paper following rigorous practices and policies of data handling across the board and ensuring that any sensitive data is handled responsibly at all times, with SOC II Type 2 and HIPAA compliance.

We are hosted on Amazon Web Services (AWS) cloud. AWS is designed and managed in alignment with best security practices and a variety of IT security standards. The following is a partial list of assurance programs with which AWS complies:

• SOC 1/ISAE 3402, SOC 2, SOC 3
• FISMA, DIACAP, and FedRAMP
• PCI DSS Level 1
• ISO 9001, ISO 27001, ISO 27017, ISO 27018

Our application is hosted in a dedicated Virtual Private Cloud (VPC) in AWS for increased security. The application and data are secured in private subnets, and only secure HTTPS traffic is allowed to the application. Virtual firewalls are used to harden the access to let only pre-established transactions across the resources. AES 256 bit encryption is used to secure the data at rest, and HTTPS is used for data in transit. Malware and Spam protection is applied based on the latest threat signatures, and it supports real-time scanning and security.

Access controls

Access to the application in the production is restricted to a very limited set of our employees based on the job roles. Role-based access through IAM that enforces segregation of duties, two-factor authentication, and end-to-end audit trails ensures that the access to the application is in accordance with the job roles. Servers can only be accessed through the AWS management console.

Serving you reliably

Our application is architected with resiliency in mind that ensures the high availability of the application and data.

Redundancy is built in every part of our application. The application is hosted across multiple data centers and actively serves the application traffic through load balancing. It ensures the high availability of the application even if one of the data centers has disruptions. Data is also synchronously replicated across multiple data centers, thereby providing seamless DR capability. Data backup is also taken every day and retained for the last seven days. Automated on-demand capacity expansion capabilities based on traffic ensure high performance of the application at all times.

Securing your account

In a cloud application, security is a shared responsibility. We highly recommend you use the following controls to secure your account and data.

Secure authentication

You can enforce strong authentication mechanisms using our SAML settings or tune-up the password rules from the admin console.

Two-factor authentication

You can enforce two-factor authentication for your users to secure your account.

Role-based access

To limit access based on the principle of least privileged access and prevent conflict of interest, you can enforce differential access based on the users' responsibilities.

Access administration

You can establish processes to provide appropriate access to your users and remove accesses that are no longer valid. You can also set appropriate expiry times for inactive user sessions.

IP whitelisting

You can restrict access to the application from unknown IP addresses by whitelisting your IP addresses.

Our development processes

Information security and data privacy requirements are baked into every release cycle. They form an integral part of the blueprint considerations of the product.

Product roadmap

Our product roadmap is defined and reviewed periodically by the Product Manager. Security fixes are prioritized and bundled in the earliest possible sprint.

Code review

All changes are tested, and criteria are established for performing code reviews, web vulnerability assessments, and advanced security tests.

Quality assurance

Builds are securely built. Each build is put through stringent functionality tests, performance tests, stability tests, and UX tests before they are certified "production-ready".

Version control

Source code is managed centrally with version controls and access restricted based on various teams that are assigned to specific sprints. Records are maintained for code changes and code check-ins and check-outs.

Training and awareness

We communicate the requirements for responsible handling of data, including any personal information, to all our employees as part of their employee onboarding process.

Further, changes to any of these requirements are communicated as and when they are rolled out. We also conduct an annual refresher training for all our employees.

Confidentiality agreements

All employees sign an agreement of data confidentiality when they join SuperOps. Data includes all information, including any client information that they become aware of.

Confidentiality agreements are also signed with all our vendors or sub-processors along with appropriate services contracts with them.

Code of conduct

Our code of conduct is a set of common rules and standards of ethics that every employee is required to follow in letter and spirit. These are the basic guiding principles of appropriate conduct that bind every person in our company.

It sets out our values, responsibilities, and ethical obligations. It is intended to guide our employees in handling difficult ethical situations related to the business and to do the right thing.

We take our work culture and any deviation from it seriously. So employees are encouraged to speak up about any violations.