Uptycs is a SOC2 certified company that takes data security and privacy
very seriously. Below you can learn more about our security policies, but if
you have questions, comments or concerns, please reach out to our team.
At Uptycs, we use Agile principles for a rapid software development lifecycle that emphasizes security throughout. This enables us to discover and remediate software or security issues earlier. Software patches are released continuously, with those impacting end users taking priority. Our continuous integration process, along with well-defined change management policies, allow us to respond rapidly to issues with security or functionality in a consistent and thorough manner. With these DevOps practices, Uptycs can achieve fast time to resolution.
The Uptycs production infrastructure is hosted in Cloud Service Provider (CSP) environments. As indicated under The Shared Responsibility Model, the physical and environmental security related controls for Uptycs production servers, which includes buildings, physical security measures, and access control, are managed by these CSP’s. Professional security staff restrict physical access at the perimeter and all data center entrances. Authorized staff must pass two-factor authentication two or more times to access the data center.
All Uptycs personnel are subject to background checks upon employment and undergo annual security awareness training for technical and non-technical roles. Employee policy emphasizes each employee’s responsibility to help secure our customer data and company assets.
Uptycs requires transport level security for network access and individually authenticates users by way of a central identity provider. We also leverage two factor authentication wherever possible.
Authentication and Access Management
End users may log in to Uptycs using an Identity Provider, leveraging Uptycs’ support for the Security Assertion Markup Language (SAML). This service will authenticate an individual’s identity and may provide the option to share certain personally identifying information with Uptycs, such as your name and email address to pre-populate our sign-up form. Uptycs’ SAML support allows organizations to control authentication to Uptycs and enforce specific password policies, account recovery strategies and multi-factor authentication technologies.
Protection of Customer Data
Data submitted to the Uptycs service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer Data is not authorized to exit the Uptycs production service environment, except in limited circumstances such as in support of a customer request.
All data transmitted between Uptycs and Uptycs’ users is protected using Transport Layer Security (TLS 1.2). If encrypted communication is interrupted, the Uptycs application is inaccessible. At rest the customer’s data is stored on encrypted disks. The data is encrypted using industry-standard AES-256 data encryption.
Access to Customer Data is limited to functions with a business requirement to do so. Uptycs has implemented multiple layers of access controls for administrative roles and privileges. Access to environments that contain Customer Data requires a series of authentication and authorization controls, including Multi-Factor Authentication (MFA). Users must first login to a VPN, the user must present a password and an authentication code. Once on the VPN the user must present ssh credentials to login. Access to those environments is monitored and logged for security purposes. Uptycs has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms, and enforces full-disk encryption and unique credentials for workstations.
Uptycs monitors critical infrastructure for security related events by using the Uptycs security analytics platform, alongside a custom implementation of other open source and commercial technologies.
Certifications, Attestations, and Frameworks
Uptycs maintains active SOC 2 Type II compliance. You can read more about SOC 2 here.
Laws and Regulations
Changing or deleting your information
Once customer contract is terminated, Uptycs deletes or returns all the personal data to the customer after the end of the provision of services relating to processing, and deletes existing copies unless the applicable law requires storage of the personal data.
How long does Uptycs keep Personal Information
Data retention for customer depends on customer configuration. Data is destroyed within 45 days of no longer being required and in some circumstances, retain data for more than 45 days with the permission from senior executive. Disposal of confidential information is logged in order to maintain an audit trail.
Uptycs leverages a number of third-party applications and services in support of the delivery of our products to our customers. The Uptycs Security Team recognizes that the company’s information assets and vendor dependencies are critical to our continuing operations and delivery of services. As such, Uptycs’ Security team has established a vendor management program that sets forth the requirements to be established and agreed upon when Uptycs engages with third parties or external vendors. These engagements are designed to assess the technical, physical, and administrative controls in place and to ensure they are commensurate with the expectations of Uptycs and its customers.
Our affiliate offices operate under the registered name Uptycs India Pvt. Ltd. and are located in Bengaluru, Karnataka ,Yerwada, Pune and Hyderabad, Telangana.
Report a concern
If you need to contact Uptycs about a potential security issue with our product or services, please email email@example.com with the words “Security Concern” in the subject line.
- We will acknowledge receiving the information within 3 business days
- We will do our best to keep you up to date. If you would like an update or more details regarding your disclosure, please do not hesitate to reach back out
- We will never use the contact information acquired via you sending us information about a security concern for any other purpose than to communicate about this issue, unless you explicitly request that we contact you for other purposes
This is not a bug bounty program, rather a simple way to allow people who have found potential issues to report them securely.
Uptycs leverages the power of osquery. Bugs found in the open-source version of osquery are covered by the Facebook bug bounty. If you have found issues in osquery itself, we appreciate receiving reports and your work to help secure users of open-source security tools, and we encourage you to participate in the official bounty. Be aware that if you report an issue to us, we may start working on a fix, and the timing could prevent you from receiving the bounty, so for that reason we recommend you submit there first.
If you are a customer and want to inquire about authorized security testing, please get in touch with your customer success manager.
Reporting a Security Concern
Please report issues to: firstname.lastname@example.org.