SuperControl Security Information

User Security
We offer forms-based authentication over secure (HTTPS) connection.  Each user in our service has a unique user name. All account login attempts are logged. Our application verifies passwords complexity to prevent from using simple and easy to guess password.  After certain numbers of failure login attempts account is locked.  User accounts are locked after a period of inactivity.

Data Security
At SuperControl, we take the security and integrity of your data very seriously.
Sensitive user data, such as account passwords, are stored in encrypted form.
Credit card data is never transmitted, processed and stored on our servers. We use PCI DSS compliant external tokenization service.
When we send the data over the network, we use TLS 1.2 or above to keep the data encrypted and prevent from reading the data by unauthorized parties.

Application security
Our application is protected by cloud-based Web Application Firewall that prevents from hacking attacks and notifies us about such attacks. As an additional security measure we use CAPTCHA to prevents from bot attacks, and anti-CSRF tokens to prevent from execution malicious cross-site web requests. We also check our application for vulnerabilities by performing vulnerability scans and penetration tests.

Systems security
We use hardening lists and “best practices” to make our systems  secure and stable.
Event logs are monitored for errors and unwanted incidents. This allows us for quick reaction in case of system malfunction or suspicious activity. Key system and application files are protected by file integrity monitoring software to detect potentially unwanted or unreported changes.

Network Security
Our infrastructure is protected by firewall systems. Only authorized staff has direct access to production machines and all access to production systems is via secure channels. We constantly monitor our internal network for suspicious traffic. We also perform periodical internal network scans to detect potential changes in hosts and services.

Physical Security
We have redundant hardware and services have quick failover points.
Our services are hosted on dedicated servers in accordance with industry best practices in secure data centres. The data centres provide 24-hour physical security.

Vulnerability Management
Security patches are applied to operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities. All internal systems are monitored for stability, performance and errors. This allow us for quick response in case of incidents.

Availability
We use redundant servers and network devices to make sure our services are available 24/7.
External IPS/WAF service protect our websites from most attacks.

Software Development Practices
We deploy code dozens of times during the month. This gives us the ability to react quickly if a bug or vulnerability is discovered.
Our developers are trained in the OWASP Top 10 and “best practices”.
Each change is tested in a separate test environment before it is implemented on a production.