The Sovrn Mission: Do more of what you love and less of what you don’t.
Publishers create the content that drives the web. They craft the stories that teach us, move us, and delight us. We support them. We advocate for them. We build tools they use to thrive. Here is how we do that in a secure way.

Organizational Security

The Sovrn Security team is responsible for the implementation and management of our security program. Sovrn believes that all employees are responsible for security, and everyone should be part security engineer. Developers and DevOps employees receive technical security training, and all employees receive privacy training and security awareness training and testing. A Compliance Manager is responsible for our GDPR compliance and industry certifications.

Protecting Publisher and Reader Data

Secure By Design
Sovrn believes that security isn’t an afterthought. It starts with threat modeling during early project stages, then continues with manual code reviews and automated scanning during development. Infrastructure, both in our hosted data centers and cloud providers, is built using industry best practices. Sovrn has achieved Trustworthy Accountability Group (TAG) Platinum status.

Encryption

Data in Transit
Personally Identifiable Information in transit is encrypted using strong encryption protocols. We support modern Transport Layer Security (TLS) 1.2 or higher, AES and better cipher suites, whenever supported by publishers and readers.

Data at Rest
Personally Identifiable Information is encrypted while at rest using strong encryption algorithms, whether in Sovrn data centers or our cloud providers. Sovrn uses best practices to manage encryption keys, limiting their access and protecting them from wide disclosure.

Network Security and Server Hardening

Sovrn-maintained servers are built from a standardized image and are patched as needed if a high risk vulnerability is identified.

Endpoint Security

Sovrn employee workstations utilize full disk encryption and firmware passwords. They are monitored for malware and patched regularly.

Access Control

Sovrn uses a least privilege concept for employee access, where each person only has the access they need for their job. Each addition of access is tracked through our ticketing system, and access is reviewed as organizational changes are made.

Authentication

Sovrn uses multi-factor authentication for access to systems with highly classified data, including our production environments. Where possible and appropriate, Sovrn uses private keys for authentication in addition to multi-factor authentication. Sovrn employees use a password manager to manage long, complex passwords and passphrases. Our password policy is compliant with NIST password requirements.

System Monitoring and Logging

Sovrn monitors servers, workstations for a comprehensive view of its production and corporate infrastructure. Privileged access to servers is logged.

Disaster Recovery and Business Continuity

The Sovrn network is distributed among several 3rd-party hosted data centers and cloud providers to build in redundancy and fault tolerance.

External Validation

Sovrn systems are subject to penetration testing ad hoc. Any vulnerabilities identified are brought to the resolving team for remediation.

Conclusion

Both our publishers and their readers should expect that Sovrn is protecting their data and doing our best to reduce fraud. From ad traffic monitoring to password management, the cybersecurity landscape is constantly evolving, and Sovrn will evolve to adapt to it.

For more information, contact security@sovrn.com.