At SyncSketch, content security is as important as seamless visual communication. We want you to collaborate freely with your colleagues and feel safe while you do so. We also value transparency, and know that information security thrives this way. Here we answer some of the most frequently asked questions about the steps we take to ensure that your experience and data are safe and secure.

Do you support Multi-Factor Authentication (MFA)?

Yes, we have added our own MFA solution which you can enforce on your workspace level. We are also fully SAML 2.0 compatible and support Okta, Onelogin, Azure, Google, etc to onboard your team more easily.

What is being logged and how can I have access?

SyncSketch is using an extensive logging infrastructure with a central Security Information and Event Management (SIEM) server to collect and process everything that is happening on our platform. For peace of mind, we log anything from when specific users access items to state changes and download requests. We can stream workspace-specific logs to our customers via Logstash in the JSON format for full log analysis.

Do you support IP whitelisting?

To restrict access to your site we allow users to define either an IP range and/or fully qualified domain names (FQDN). Currently the whitelist is not accessible through the UI and needs to be requested when you set up your enterprise workspace.

Can I give users different permissions?

Within your workspace you can assign different permissions to your users; from unrestricted admin access to regular members and a view-only option to allow restricted users to just stay in the loop. Members can create and upload media to actively participate in your day to day while Reviewers are only able to leave feedback.

Can I share a review with users outside of my workspace?

Yes, you can share reviews with external collaborators by generating a link. Shared links can be password protected and you have the option to set an expiration date. Both password protection and expiration can be enforced on the workspace level to make sure your users are not accidentally sharing content without the necessary protection. For complete peace of mind you can also disable link sharing all together. That way you can be sure that anyone accessing your data is logging in through SSO or MFA if enabled on your account. 

Is my data encrypted?

Yes, all your data is encrypted at rest and in transit using the latest encryption technology like TLS 1.2 and AWS-SSE.

Do you follow a particular security framework?

Absolutely. There are several great frameworks that companies can follow. The most important thing is to ensure that the framework fits the organization’s operations, protects sensitive information, and meets or exceeds our customer’s expectations. A framework must achieve results and build integrity at every level of an organization. In the creative industry, there is no room for a weakest link. That is why we’ve adopted the ISO 27001 framework, along with best practices presented by the Motion Picture Association (MPA) and Trusted Partner Network (TPN). ISO 27001 is a very robust framework that offers great practices for day-to-day operations, while the TPN framework focuses specifically on content protection and the types of assets you typically find in the entertainment industry. For us, those best-practices are key.

How do you ensure compliance & integrity within the workforce?

We believe that vigilant security starts within the Organization. As a part of the Unity family, this begins with candidates. All prospective employees, irrespective of their position, go through an external vetting process. The process includes the candidate’s prior employment records, educational qualifications, and reference checks (where local labor law or statutory regulations permit). We also require criminal background checks on all employees and contractors.

We enforce the Unity Security Policy as part of our company code of conduct. All Unity employees have mandatory security and privacy training at least once yearly. This training is provided by a well-recognized security awareness training group.

Access to SyncSketch’s Infrastructure is limited only to the operations and support staff actively engaged in monitoring and enhancing the SyncSketch Service offerings.

What do you do to protect company devices?

Even with all of the training and best-practices, we try to minimize the chance of human error or malicious attacks by deploying device management controls and anti-virus and anti-malware protection. All employee devices are monitored and controlled by a centralized application that enforces password policies, system updates, and activity logging. This gives our InfoSec team a lot of control over what happens in our company’s ecosystem and offers proactive ways to respond to threats.

How do you ensure security with third parties?

We hold our third-party partners and vendors to the same high standards that our customers hold us to. Our vendor onboarding program requires SyncSketch to evaluate the information that vendors can access, who has access to it, where it’s being held, and how it’s being protected. In many cases, we require third parties to fill out questionnaires in order to familiarize ourselves with their infrastructure and practices. We also require non-disclosure agreements when service agreements are executed. Anyone who engages with our day-to-day operations quickly learns that security is at the heart of everything SyncSketch does, whether they’re a vendor, employee, contractor, or customer.

Does SyncSketch have a dedicated Security Team?

Our InfoSec Team meets regularly to evaluate changes to the SyncSketch ecosystem. We also work to identify risks and plan for technological enhancements. Our security roadmap is constantly evolving. Sometimes a client will suggest a brilliant security feature that could be added at the workspace level. Other times, we implement new solutions or policies that we believe will benefit our clients, their workflows, and their assets. Our InfoSec Team possesses a diverse array of security knowledge, including system administration, policy creation, enterprise learning, IT, software development, risk assessment, remediation, and other valuable expertise. It’s the perfect mix to keep our roadmap moving forward.

Using a cloud or SaaS solution is a big leap for many companies. Especially when their content is so valuable. Do you find it tough to gain the trust of studios or increase adoption?

When it comes to trusting a SaaS solution with valuable IP, there will always be skepticism and processes for due diligence– and there should be. It forces companies to not just talk the talk, but to walk the walk. That’s why we consider security a business and operations strategy in addition to an information security management strategy. SyncSketch has gone through some of the most rigorous security evaluations imaginable, and we’re continually approved and recognized as one of the most trusted SaaS solutions for content reviews and creative collaboration.

Once in a while, a company will have a policy that prohibits the use of content in the cloud. However, our flexibility in allowing clients to use their own AWS S3 buckets often helps solve that problem by providing control over logs and other aspects of their data. We believe the creative industry’s skepticism shouldn’t be projected towards cloud technology itself; but rather how companies protect data in the cloud. The power of the cloud provides companies with a competitive advantage that’s too valuable to ignore, and adoption towards its usage will accelerate, as it does with most technology of this caliber. The early adopters have already begun their creative journey with SyncSketch. They happen to be big players, so others are following suit.

Market forces aside, perhaps the best way to gain trust is to collaborate with clients to enhance the platform’s feature set. That includes creative features as well as security features. The security evaluation process is a great opportunity to collect feedback and think about the future of the platform. If an idea sounds like a winner, we usually add it to our roadmap for further evaluation and work alongside our clients to turn it into a reality. There’s nothing that builds trust more than working towards a unified goal together. Building an increasinlgy secure platform is a goal both SyncSketch and our clients can get behind.

For more information about Enterprise level security features, read this blog.