At SuperOps.ai, we know that our customers rely on us to run their business processes and keep their data secure. Therefore, we take our responsibilities to our customers seriously — the security and reliability of the software, systems, and data that make up our application are our top priority.
We’ve put our commitment to information security on paper following rigorous practices and policies of data handling across the board and ensuring that any sensitive data is handled responsibly at all times, with SOC II Type 2 and HIPAA compliance.
We are hosted on Amazon Web Services (AWS) cloud. AWS is designed and managed in alignment with best security practices and a variety of IT security standards. The following is a partial list of assurance programs with which AWS complies:
Our application is hosted in a dedicated Virtual Private Cloud (VPC) in AWS for increased security. The application and data are secured in private subnets, and only secure HTTPS traffic is allowed to the application. Virtual firewalls are used to harden the access to let only pre-established transactions across the resources. AES 256 bit encryption is used to secure the data at rest, and HTTPS is used for data in transit. Malware and Spam protection is applied based on the latest threat signatures, and it supports real-time scanning and security.
Access to the application in the production is restricted to a very limited set of our employees based on the job roles. Role-based access through IAM that enforces segregation of duties, two-factor authentication, and end-to-end audit trails ensures that the access to the application is in accordance with the job roles. Servers can only be accessed through the AWS management console.
Our application is architected with resiliency in mind that ensures the high availability of the application and data.
Redundancy is built in every part of our application. The application is hosted across multiple data centers and actively serves the application traffic through load balancing. It ensures the high availability of the application even if one of the data centers has disruptions. Data is also synchronously replicated across multiple data centers, thereby providing seamless DR capability. Data backup is also taken every day and retained for the last seven days. Automated on-demand capacity expansion capabilities based on traffic ensure high performance of the application at all times.
In a cloud application, security is a shared responsibility. We highly recommend you use the following controls to secure your account and data.
You can enforce strong authentication mechanisms using our SAML settings or tune-up the password rules from the admin console.
You can enforce two-factor authentication for your users to secure your account.
To limit access based on the principle of least privileged access and prevent conflict of interest, you can enforce differential access based on the users' responsibilities.
You can establish processes to provide appropriate access to your users and remove accesses that are no longer valid. You can also set appropriate expiry times for inactive user sessions.
You can restrict access to the application from unknown IP addresses by whitelisting your IP addresses.
Information security and data privacy requirements are baked into every release cycle. They form an integral part of the blueprint considerations of the product.
Our product roadmap is defined and reviewed periodically by the Product Manager. Security fixes are prioritized and bundled in the earliest possible sprint.
All changes are tested, and criteria are established for performing code reviews, web vulnerability assessments, and advanced security tests.
Builds are securely built. Each build is put through stringent functionality tests, performance tests, stability tests, and UX tests before they are certified "production-ready".
Source code is managed centrally with version controls and access restricted based on various teams that are assigned to specific sprints. Records are maintained for code changes and code check-ins and check-outs.
We communicate the requirements for responsible handling of data, including any personal information, to all our employees as part of their employee onboarding process.
Further, changes to any of these requirements are communicated as and when they are rolled out. We also conduct an annual refresher training for all our employees.
All employees sign an agreement of data confidentiality when they join SuperOps.ai. Data includes all information, including any client information that they become aware of.
Confidentiality agreements are also signed with all our vendors or sub-processors along with appropriate services contracts with them.
Our code of conduct is a set of common rules and standards of ethics that every employee is required to follow in letter and spirit. These are the basic guiding principles of appropriate conduct that bind every person in our company.
It sets out our values, responsibilities, and ethical obligations. It is intended to guide our employees in handling difficult ethical situations related to the business and to do the right thing.
We take our work culture and any deviation from it seriously. So employees are encouraged to speak up about any violations.