Security and Compliance represent key aspects of any product your team uses. Superthread is committed to securing access to your data, eliminating systems vulnerabilities and ensuring continuity of access.
Last updated: May 2024
Superthread uses an array of industry-technologies and services to protect your data against unauthorised access, disclosure, use, and loss.
All Superthread Administrators are routinely trained on security practices both during company onboarding and on a quarterly basis.
Security at Superthread is directed by Superthread’s CTO and maintained by Superthread’s internal Infrastructure Engineering team.
Superthread is designed to comply with all requirements stated by the GDPR and the CCPA.
Superthread IO Ltd. is a UK registered company and is registered with the UK Information Commissioner's Office.
Where possible Superthread makes tools available to our customers to allow them to meet their obligations to such legislation inside the platform.
Superthread uses Stripe to handle payment and card information, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider. This represents the most stringent level of certification available in the payments industry.
Superthread does not receive credit card data, making it compliant with Payment Card Industry Data Security Standards (PCI DSS) in most cases.
Superthread itself is not designed for the storage of PCI protected data and customers should ensure that they do not use the system in such a way that requires the storage of credit card information.
Superthread maintains a public Vulnerability Disclosure Program (VDP) at: https://superthread.com/terms/vulnerability-disclosure-policy
We take vulnerability disclosures extremely seriously. Once disclosures are received, we rapidly verify each vulnerability contained within the report before taking the necessary steps to contain and remediate the issue.
Once verified, we will periodically send status updates as the problems are fixed and will endeavour to work with the reporter to coordinate public disclosure should they so wish.
Superthread has a well documented response process for the detection and resolution of Security Incidents.
The Superthread Platform is hosted exclusively on Amazon Web Services (AWS) and operated under the Shared Responsibility Model.
AWS maintains both ISO 27001 certificates and SOC 2/3 reports which can be found here.
Data centres used by AWS include extensive security measures built around a layered security model. These safeguards include:
More information about the physical security of these data centres can be found here.
Superthread employees do not have physical access to any AWS data centres, servers, networking equipment or storage media.
Superthread is the assigned administrator of its infrastructure on Amazon Web Services and only a small number of authorised Superthread employees have access to configure this infrastructure. Where infrastructure configuration is done, it is on an as-needed basis and requires two factor authentication.
Direct access to servers (such as SSH) is only done on an as-needed basis and uses detailed audit logging. SSH connections are protected using two-factor authentication and regularly rotated certificates.
Administrators connections to production servers are made over a private network.
Administration rights (including SSH, Database Access and Infrastructure Configuration) are tightly controlled and restricted to a very small number of our team.
Every part of the Superthread platform uses automatically provisioned, redundant servers to protect against failure.
Servers are regularly taken in and out of operation throughout the day as part of our routine operation without affecting availability.
Superthread keeps regular daily and weekly backups of data in multiple geographic locations on Amazon Web Services.
All backups are stored in an encrypted form.
In the case of platform-wide production data loss we are able to restore data from these backups.
We regularly test our ability to restore our infrastructure from the backups we maintain.
We routinely verify the integrity of the backups that we hold.
Superthread primarily serves traffic from a single geographic region spread across multiple availability zones.
In the unlikely event of a prolonged regional outage we maintain a documented procedure for provisioning our deployment environment in a separate region.
Superthread has an extensively documented Incident Response process that includes documented procedures for Business Continuity and Disaster Recovery.
All customer data is sent to Superthread via HTTPS using TLS 1.2 or above.
All Superthread systems are configured to reject connections using TLS version below 1.2 or those using potentially insecure cipher suites.
Superthread operates a zero-trust network meaning that all network traffic, even within our own network perimeter, is encrypted.
All requests into the system are logged and monitored using a combination of rule and anomaly-based systems.
Superthread allows customer's to access the data stored in Superthread through several methods including:
Our Web Application hosted at: https://app.superthread.com
Our developer REST API hosted at: https://api.superthread.com
All of the methods we provide to our customers for accessing their data ensure encryption in transit using TLS 1.2 or above.
Superthread provides users with the ability to log in using single use passwords that are sent to the user's verified email address.
Single use passwords are valid for 10 minutes after they are issued and have several automated defences against brute force attacks.
Superthread allows users to login using their Google or GSuite for Business account.
Customers on our Enterprise plans are able to enable SAML-based authentication.
Workspaces are optionally able to force all of their users to authenticate using SAML 2.0 to align with their own authentication requirements.
Superthread provides a REST-ful API that allows our customers to access their data through integrations with other platforms.
API keys have been designed to be resistant to brute force attacks.
Customers are able to issue, modify, and revoke API tokens through their Workspace Settings page.
Superthread uses a Continuous Integration and Continuous Deployment model which means all of our code changes are committed to a Source Code Repository, reviewed, tested, and shipped to our customers in a rapid sequence.
On a typical workday we will deploy between one and twenty versions of Superthread to our customers.
Our rapid iteration development model significantly improves our response time to bugs, vulnerabilities, and security incidents.
Superthread does not provide release notes to our customers for every version of the application that we deploy.
Superthread believes that good security applies equally to our team as to our platform.
All Superthread employee endpoints use Full Disk Encryption, Screen Lock, Remote Wipe, Find My Device, strong passwords, and biometric authentication.
All team passwords are stored securely in 1Password and 2FA is enabled where possible.
Superthread uses a documented Risk Assessment and Treatment process.
Superthread uses a combination of Asset and Scenario based Risk Assessments.
All deployments of Superthread go through peer review, automated testing, and an automated deployment process that updates the production environment.
Superthread performs a risk management and treatment of all systems and applications on a regular basis.
Superthread places the Availability and Confidentiality of our platform at the top of our priorities.
Superthread maintains a comprehensive Incident Response Process that includes designated Disaster Recovery and Customer Communication plans.
We test all of our Incident Response Processes quarterly and throughly review our test results for gaps.
We update our Incident Response Process at least annually.
Superthread maintains a comprehensive set of documented Security Policies in our company wiki.
Our policies are designed in accordance with ISO 27001 and are updated on an ongoing basis and annually for gaps.
Customers on our Enterprise plan with special compliance requirements can request access to a more detailed overview of these policies from their Account Manager.
Superthread maintains a comprehensive internal Security Training program for our team.
All Superthread employees receive security training upon joining the team and quarterly thereafter.
Members of Superthread engineering team receive regular additional training that covers secure development practices, such as the OWASP Top Ten, in addition to our internal policies.
Superthread follows a CERN (Contain, Eradicate, Recover, and Notify) security incident response process.
Where a Security incident affects the Confidentiality of customer data Superthread will contact the registered Administrators of the Workspace.