Our Security Commitment
At Upful, our customers’ data privacy and information security are top priority.
We maintain the highest standards of data privacy and security because we know your employee data is important to keep secure. Upful undergoes regular security reviews and encrypts data at rest and in transit.
Our customers entrust sensitive data to our care.
Secure and Reliable Infrastructure
Upful uses vendors that have data centers monitored by 24×7 security, biometric scanning, video surveillance and are SOC 1, SOC 2, and SOC 3 certified. Upful has a mature vendor management program and evaluates all vendors for data privacy and security. For more information about the vendors we use, please contact us so we can provide details privately.
World Class Application Security
All data is encrypted in-transit to and from the user and within the Upful platform using TLS 1.2. All data is encrypted at-rest using 256-bit encryption via native AWS capabilities.
Data Permissions & Authentication
Access to customer data is limited to authorized employees who require it for their job and data access is logged.
Detection of Security Breaches
The network is continuously monitored for suspicious activities. Users have the ability to report suspicious activity directly to Upful. If you believe you have discovered a potential vulnerability, please let us know by emailing us at firstname.lastname@example.org.
Identity & Access Management
Only necessary Upful employees are provided with the least privilege access (read-only) to the systems that store customers’ data. The access is provided only when absolutely necessary. Access privileges are decided and approved by the CEO and CTO. The employee’s access to the system is terminated immediately if the employment is terminated or if their role no longer has a need to access that data. Employees access the customer data and the service using 2-Factor Authentication.
Upful maintains an incident response plan for all security incidents. If Upful experiences a data breach, it will perform an investigation into the root causes of the breach by isolating the data backup. It will analyze the impact of the breach and pursue appropriate mitigations. Once the investigation and initial response is completed successfully, Upful will notify customers affected by the breach within 72 hours.
Corporate Security at Upful
All Upful employees receive training during new hire orientation that improves their understanding of some critical security topics like: How to treat customer data, handling of suspicious emails, anti-phishing and social engineering training, personal device usage, separation of business and personal accounts.
Upful employees are required to follow best practices like: locking their device screen when not within viewing distance, all devices have passwords, passwords must meet complexity requirements, utilize multi-factor authorization.
All employees are required to review and agree to Upful’s strict IT Security Policies, which are annually reviewed to incorporate periodic updates.
Responsible Disclosure Policy
If you believe you have discovered a potential vulnerability, please let us know by emailing us at email@example.com. Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Upful service. Please only interact with domains you own or for which you have explicit permission from the account holder. We may revise these guidelines from time to time. The most current version of the guidelines will be available at Upful.ai/security.
Secure Software Development
Upful implements secure development practices to ensure security is considered at all stages of the software development lifecycle.
Some of the key principles the Upful team follows include:
- Isolating Personally Identifying Information (PII) on a different system, so it's separated from performance reviews
- Use standard cryptographic libraries and known implementations
The new ‘California Consumer Protection Act’ (CCPA) came into effect on January 1, 2020. The state law grants California consumer residents new rights over their personal information. These rights are: the right to know (or access), the right to delete, and the right to opt-out of sale of personal information that a company may collect, retain, or disclose about a consumer.
If you wish to exercise any of these rights, you can do so by emailing us at firstname.lastname@example.org
Additionally, the CCPA prohibits businesses from discrimination against consumers in terms of access to services if they choose to exercise their rights under the CCPA.
The CCPA applies to for-profit entities doing business in California that collect, share, or sell California consumer residents personal information and either:
1) has annual gross revenues in excess of $25 million;
2) possesses the personal information of over 50,000 consumers, households, or devices; or
3) 50% or more of gross revenue comes from selling personal information.
Where does Upful host their services?
- Upful hosts its software as a service at Amazon Web Services and Amazon Elastic Kubernetes Service (EKS) for their exceptional security and availability. Amazon EKS allows Upful to safely start, run, and access the application in the AWS cloud infrastructure. AWS supports various security standards and compliance certifications.
What security controls are in place to protect the environment processing or storing customer data?
- Upful uses various security features as follows:
- Data encryption at rest and in transit - All the data at rest is encrypted using AES 256 encryption. Data in transit is encrypted using TLS.
- TLS restricted traffic for all the client-server communication
- Least privilege access control
- Multi factor authentication
- Routine network testing
- AWS security - AWS provides services that protect the user data and accounts from unauthorized access. It has security controls to provide network and infrastructure security, data encryption, host and endpoint security, identity and access control, logging, monitoring, threat detection and analytics, application security and so on.
- Upful does not operate any data centers. Upful’s service is hosted and delivered via Amazon web services.
What encryption mechanisms are used to protect the data at rest?
Data at rest is encrypted using AES-256, block-level storage encryption.
What network security mechanisms are used to protect the sensitive information?
- Upful’s service is hosted and delivered via Amazon web services. AWS has various security controls in place to protect the sensitive information. Network inspection designed to detect and protect your workloads from malicious or unauthorized traffic. Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely. For additional information, please visit: https://aws.amazon.com/security
- Upful also uses virtual private networks when accessing sensitive data to ensure that the data is transferred securely while working remotely.
How often are the security policies and procedures reviewed?
Upful reviews its security policies and procedures bi-annually.
Are all servers and software at the current patch levels and fully supported?
- The servers and software are patched regularly. AWS provides regular updates and patches for the system. Amazon Elastic Kubernetes Service (EKS) releases new platform versions periodically to enable new Kubernetes control plane settings and to provide security fixes. Upful has manual control over EKS version updates, to ensure that the application runs smoothly on the new version before upgrading production clusters. EKS is at the current patch level that AWS provides.
- For more information, please visit: https://docs.aws.amazon.com/eks/
What monitoring capabilities are implemented to identify access to customer data and servers that contain customer data?
- All application logins by Upful's customers and employees are logged.
- Upful allows access to the application using the Invite Code granted by the administrator during account creation.
- Upful also maintains information about the changes made to customer’s data.
What is the password policy for the systems that host customer data?
- Upful uses standards like National Institute of Standards and Technology (NIST Special Publication 800-53) for implementing security and privacy controls of the system.
- Password policy follows the security best practices and passwords comply with the requirements for their length and complexity. Passwords are stored in an encrypted format.