Legal

Security at Supaship

We implement industry-leading security practices to protect your data and ensure the highest levels of security for our feature flag platform.

Last Updated: March 12, 2026

1. Security Overview

Security is at the core of everything we do at Supaship. We understand that you trust us with your most sensitive data, and we take that responsibility seriously.

Our security program is built on industry best practices and is continuously evolving to address emerging threats. We employ a defense-in-depth approach with multiple layers of security controls.

Our Security Commitment

  • Regular security audits and penetration testing
  • Industry-standard certifications and compliance
  • Responsible disclosure program open to all researchers

2. Infrastructure Security

Our infrastructure is built on secure, enterprise-grade cloud platforms with multiple layers of protection:

Cloud Security

  • Enterprise-grade cloud infrastructure
  • Multi-region deployment for redundancy
  • Automated security patching and updates
  • Network segmentation and isolation

Network Security

  • DDoS protection and mitigation
  • Web Application Firewall (WAF)
  • Intrusion Detection and Prevention
  • Real-time threat monitoring

Data Centers

  • Tier 4 data centers
  • Physical security controls and monitoring
  • Environmental controls and redundancy
  • 24/7 security operations

Backup & Recovery

  • Automated daily backups with encryption
  • Point-in-time recovery capabilities
  • Cross-region backup replication
  • Regular disaster recovery testing

3. Data Protection

We implement comprehensive data protection measures to ensure your data remains secure at all times:

Encryption

  • In Transit: TLS 1.3 for all data transmission
  • At Rest: AES-256 encryption for all stored data
  • Key Management: Hardware Security Modules (HSM) for key storage
  • Database: Transparent Data Encryption (TDE)

Access Controls

  • Authentication: Multi-factor authentication (MFA) supported
  • Authorization: Role-based access control (RBAC)
  • Session Management: Secure session handling with timeouts
  • Privileged Access: Just-in-time access for administrative functions

Data Classification

  • Public: Marketing materials and public documentation
  • Internal: Internal communications and processes
  • Confidential: Customer data and business information
  • Restricted: Sensitive data with strict access controls

4. Application Security

Our application security program ensures that our platform is secure by design:

Secure Development

  • Security-first development practices
  • Code reviews with security focus
  • Static Application Security Testing (SAST)
  • Dynamic Application Security Testing (DAST)

API Security

  • API key and JWT-based authentication
  • Rate limiting and throttling per key
  • Input validation and sanitization
  • SDK-level request signing

Vulnerability Management

  • Regular vulnerability assessments
  • Automated dependency scanning
  • Patch management process
  • Security advisory notifications

Security Testing

  • Penetration testing (quarterly)
  • Security code reviews
  • Automated security scanning
  • Responsible disclosure program

5. Compliance & Certifications

We maintain various security certifications and comply with industry standards to demonstrate our commitment to security:

SOC 2 Type II

Service Organization Control 2 certification demonstrating our security, availability, and confidentiality controls.

Planned

ISO 27001

International standard for information security management systems.

Planned

GDPR Compliance

Full compliance with the General Data Protection Regulation for EU data subjects. Learn more →

Compliant

CCPA Compliance

California Consumer Privacy Act compliance for California residents.

Compliant

6. Security Monitoring & Incident Response

We maintain comprehensive security monitoring and have established incident response procedures:

6.1 Continuous Monitoring

  • SIEM: Security Information and Event Management system
  • Log Analysis: Centralized logging and analysis
  • Threat Intelligence: Real-time threat feeds and analysis
  • Anomaly Detection: Machine learning-based anomaly detection

6.2 Incident Response

Our Incident Response Process

  1. Detection: Automated and manual threat detection
  2. Analysis: Rapid assessment and classification
  3. Containment: Immediate containment measures
  4. Eradication: Root cause analysis and remediation
  5. Recovery: System restoration and validation
  6. Lessons Learned: Post-incident review and improvements

6.3 Security Team

Our security team includes certified professionals with expertise in:

  • Cloud security and architecture
  • Application security and penetration testing
  • Incident response and forensics
  • Compliance and risk management

7. Security Resources

We provide various security resources to help you understand our security practices:

Documentation

  • Security whitepaper
  • Compliance documentation
  • Security best practices guide
  • API security documentation

Security Programs

  • Responsible disclosure policy
  • Security advisory notifications
  • Security training for customers
  • Dedicated security contact

Enterprise Security Reviews

For enterprise customers, we provide comprehensive security questionnaires (SIG, CAIQ) and custom security assessments.

Request security documentation →

Security contact

For security-related inquiries, vulnerability reports, or documentation requests. We respond within 24 hours.

[email protected]