Security
The Sovrn Mission: Do more of what you love and less of what you don’t.
Publishers create the content that drives the web. They craft the stories that teach us, move us, and delight us. We support them. We advocate for them. We build tools they use to thrive. Here is how we strive to do that in a secure way.
Organizational Security
The Sovrn Security team is responsible for the implementation and management of our security program. Sovrn believes that all employees are responsible for security, and our technical staff should be part security engineer. Our Engineering teams receive technical security training, and all employees receive privacy training and security awareness training and testing. We also have a dedicated compliance team responsible for data privacy oversight and our industry certifications.
Protecting Publisher and Reader Data
Secure By Design
Sovrn believes that security isn’t an afterthought. It starts with threat modeling during early project stages, then continues with manual code reviews and automated scanning during development. Infrastructure, both in our hosted data centers and cloud providers, is built using industry best practices. Sovrn maintains Trustworthy Accountability Group (TAG) Platinum status.
Encryption
Data in Transit
Where possible, data in transit is encrypted using strong encryption protocols. We support modern Transport Layer Security (TLS) 1.2 or higher, AES and better cipher suites, whenever supported by publishers and readers.
Data at Rest
Data is encrypted while at rest using industry standard encryption algorithms, whether in Sovrn data centers or our cloud providers. Sovrn uses industry standard practices to manage encryption keys, which are designed to limit their access and protect them from wide disclosure.
Network Security and Server Hardening
Sovrn-maintained servers are built from a standardized image and are patched as needed if a high risk vulnerability is identified.
Endpoint Security
Sovrn employee workstations utilize full disk encryption and firmware passwords. They are monitored for malware and patched regularly.
Access Control
Sovrn uses a least privilege concept for employee access, which is designed to only provide employees with the access they need for their job. Each addition of access is tracked through our ticketing system, and access is reviewed as organizational changes are made.
Authentication
Sovrn uses multi-factor authentication for access to systems processing publisher and reader data, including our production environments. Where possible and appropriate, Sovrn uses private keys for authentication in addition to multi-factor authentication and enforces a password policy that is compliant with NIST password requirements.
System Monitoring and Logging
Sovrn monitors servers and workstations for a comprehensive view of its production and corporate infrastructure. Privileged access to servers is logged.
Disaster Recovery and Business Continuity
The Sovrn network is distributed among several 3rd-party hosted data centers and cloud providers to build in redundancy and fault tolerance.
External Validation
Sovrn systems are subject to penetration testing where vulnerabilities identified are brought to the resolving team for remediation.
Conclusion
Both our publishers and their readers should expect that Sovrn is dedicated to a security program designed to protect their data and reduce fraud. From ad traffic monitoring to password management, the cybersecurity landscape is constantly evolving, and Sovrn’s goal is to evolve to adapt.
For more information, contact security@sovrn.com.