Security Policy

Show as a product of Animaker, is committed to offering the highest standards of security to its customers. Protecting customer data is our utmost priority. In this context, we maintain world class security standards in protecting the data of our customers. Show has employed stringent organizational and technical measures to protect customer data from unauthorized access, usage and misuse.

ISO 27001:2013 Certification

ISO 27001:2013 Certification

EU-US Privacy Shield

EU-US Privacy Shield

General Data Protection Regulation(GDPR)

General Data Protection Regulation(GDPR)

California Consumer Privacy Act(CCPA)

California Consumer Privacy Act(CCPA)

Audit and certification:

Show works with independent third party firms to conform to security practices that consistently meet industry best standards. We are an ISO 27001:2013 certified company. Show is willing to share the ISO certification upon reasonable request by clients.

Show uses the payment processing platform Braintree. For more information on Braintree’s security practices, please see https://www.braintreepayments.com/features/data-security

BV-Cert_IS0-IEC

Privacy Framework

Show makes sure its processes and procedures are compliant with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). To know more details please visit our Privacy Policy here.

Vulnerability Testing:

Show follows a structured code development and release process. As part of this process, all code is peer reviewed. Show makes purpose-built code analysis tools available for engineers to deploy against application code. Show also performs continuous post-production tests based on real-time threats. Show conducts rigorous internal continuous testing of its application surface through various types of penetration test exercises. In addition, Show coordinates external 3rd party penetration testing using qualified and certified penetration testers.

Regular penetration testing and security scans:

Show Backend is regularly scanned with industry-standard scanning tools for monitoring and detecting vulnerabilities. In addition, once a year, we perform a thorough and detailed penetration testing using third party penetration testing companies.

Security Training for Show Team

All members of our team go through a Security awareness training for increased security awareness on a regular basis.

Data Encryption:

Data in transit and at rest is encrypted. We are using AWS KMS (Key Management Service) for all our keys. The data connection to our application is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM). We use the SSL certificate signed by GoDaddy. All symmetric key encryption commands used within the HSA use the Advanced Encryption Standards (AES), in Galois Counter Mode (GCM) using 256- bit keys. The analogous calls to decrypt use the inverse function.Amazon EC2 EBS volume is encrypted using AES- 256-XTS. This requires two 256-bit volume keys, which is like a 512-bit volume key. The volume key is encrypted under a Customer Master Key and stored along with volume metadata.

Training / Awareness:

Show has a formal and documented security awareness training program during the on-boarding process and other training, which happens once every six months.

Incident Response and Reporting System:

Show has a documented and formal incident response plan. Show performs annual testing of its emergency response processes. Our employees are trained in how to communicate incidents internally and our customers are kept informed of incidents that affect their service via e-mail.Show has a well defined and rigorous incident management process for security events. If an incident involves customer data, Show will inform the customer and support investigative efforts via our support team within 72 hours. After a security event is fixed we record a detailed root-cause analysis. This is then assimilated by Show such that we can detect any actions in the future. Show can support properly formed requests for specific tenant data when requested by law enforcement. Individual customers get notified should an incident impact their data.

Build Process Automation:

Show has an established automation process that enables us to seamlessly deploy changes to the Show application and platform. This enables us to address security issues as soon as possible.

Show Infrastructure:

Show operates on Amazon Web Services (“AWS”); All our scoped data and systems are hosted on AWS. So, AWS Infrastructure and its Network Security will be taken care of by AWS as detailed in the AWS SOC2 report. In addition, Show's cloud security team periodically monitors and reviews the scoped environment's network configuration and security.

Show services and data are hosted on Amazon Web Services (AWS) (us-west-2 and us-east-1). Show customer data is stored in multi-tenant datastores.We exercise stringent privacy controls in making sure that one particular data is secluded from other customer data.Show conducts integration tests in place to check our privacy controls. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production. Each Show system used to process customer data is adequately configured and pathed using commercially-reasonable methods according to industry-recognized system-hardening standards and security practice.

Transfer of Data:

Show data is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL only and score an "A+" rating on SSL Labs' tests. Show uses strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. Show also encrypts data at rest using an industry-standard AES-256 encryption algorithm.

Authentication:

Show believes in the Zero Trustnetwork security model, based on a strict identity verification process. The framework dictates that only authenticated and authorized users and devices can access applications and data. At the same time, it protects those applications and users from advanced threats on the internet. Show has a Zero Trust security model in place. Show offers no additional privileges or corporate resources from being on the Show network. Show has established two-factor authentication (2FA) and strong password policies on GitHub, Google, AWS, and Intercom to ensure access to cloud services are protected.

Permissions and Admin Controls:

Show enables permission levels to be set for any employee with access to Show Scoped Systems. Permissions and access can be set to include app settings, billing, and user data.

Monitored Application:

Show makes sure that every action on the Show network is logged and audited. Production control activities are logged as well.