Security
Product Security
At Uptycs, we use Agile principles for a rapid software development lifecycle that emphasizes security throughout. This enables us to discover and remediate software or security issues earlier. Software patches are released continuously, with those impacting end users taking priority. Our continuous integration process, along with well defined change management policies, allow us to respond rapidly to issues with security or functionality in a consistent and thorough manner. With these DevOps practices, Uptycs is able to achieve fast time to resolution.
Physical Security
The Uptycs production infrastructure is hosted in Cloud Service Provider (CSP) environments. As indicated under The Shared Responsibility Model, the physical and environmental security related controls for Uptycs production servers, which includes buildings, physical security measures, and access control, are managed by these CSP’s. Professional security staff restrict physical access at the perimeter and all data center entrances. Authorized staff must pass two-factor authentication two or more times to access the data center.
Corporate Security
All Uptycs personnel are subject to background checks upon employment, and undergo annual security awareness training for technical and non-technical roles. Employee policy emphasizes each employee’s responsibility to help secure our customer data and company assets.
Uptycs requires transport level security for network access and individually authenticates users by way of a central identity provider. We also leverage two factor authentication wherever possible.
Data Protection
Authentication and Access Management
End users may log in to Uptycs using an Identity Provider, leveraging Uptycs’s support for the Security Assertion Markup Language (SAML). This service will authenticate an individual’s identity and may provide the option to share certain personally identifying information with Uptycs, such as your name and email address to pre-populate our sign up form. Uptycs’s SAML support allows organizations to control authentication to Uptycs and enforce specific password policies, account recovery strategies and multi-factor authentication technologies.
Protection of Customer Data
Data submitted to the Uptycs service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer Data is not authorized to exit the Uptycs production service environment, except in limited circumstances such as in support of a customer request.
All data transmitted between Uptycs and Uptycs’ users is protected using Transport Layer Security (TLS). If encrypted communication is interrupted, the Uptycs application is inaccessible.
Access to Customer Data is limited to functions with a business requirement to do so. Uptycs has implemented multiple layers of access controls for administrative roles and privileges. Access to environments that contain Customer Data requires a series of authentication and authorization controls, including Multi-Factor Authentication (MFA). Access to those environments is monitored and logged for security purposes. Uptycs has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms, and enforces full-disk encryption and unique credentials for workstations.
Uptycs monitors critical infrastructure for security related events by using the Uptycs security analytics platform, alongside a custom implementation of other open source and commercial technologies.
Compliance
Certifications, Attestations and Frameworks
Uptycs maintains active SOC 2 Type II compliance.
Laws and Regulations
Uptycs’s solution is compliant with the data protection laws and regulations applicable to the services we provide. You can learn more about our privacy policy at https://www.uptycs.com/uptycs-privacy-policy
CCPA
Uptycs is a monitoring service for infrastructure and while we do not intend to transfer, process, use, or store personal information, Uptycs can provide our CCPA Addendum so that our customers can fulfill their obligations under the CCPA in the event that personal data is in scope.
Vendor Management
Uptycs leverages a number of third party applications and services in support of the delivery of our products to our customers. The Uptycs Security Team recognizes that the company’s information assets and vendor dependencies are critical to our continuing operations and delivery of services. As such, Uptycs’ Security team has established a vendor management program that sets forth the requirements to be established and agreed upon when Uptycs engages with third parties or external vendors. These engagements are designed to assess the technical, physical, and administrative controls in place and to ensure they are commensurate with the expectations of Uptycs and its customers.
Sub Processors
| Sub Processor Name | Purpose |
| AWS | Infrastructure |
| GSuite | Infrastructure, Document Storage, Email Communication |
| Atlassian | Development, Customer Support Ticketing |
| Slack | Customer / Internal Communications |
| Freshdesk | Customer Support |
| ZohoDesk | Customer Support |
Affiliates
Our affiliate offices operate under the registered name Uptycs India Pvt. Ltd. and are located in Bengalaru, Karnataka and Yerwada, Pune.
Report a Concern
Disclosure
If you need to contact Uptycs about a potential security issue with our product or services, please email security@uptycs.com with the words “Security Concern” in the subject line.
- We will acknowledge receiving the information within 3 business days.
- We will do our best to keep you up to date. If you would like an update or more details regarding your disclosure please do not hesitate to reach back out.
- We will never use the contact information acquired via you sending us information about a security concern for any other purpose than to communicate about this issue, unless you explicitly request that we contact you for other purposes.
This is not a bug bounty program, rather a simple way to allow people who have found potential issues to report them securely.
Uptycs leverages the power of osquery. Bugs found in the open source version of osquery are covered by the Facebook bug bounty. If you have found issues in osquery itself, we appreciate receiving reports and your work to help secure users of open source security tools, and we encourage you to participate in the official bounty. Be aware that if you report an issue to us, we may start working on a fix, and the timing could prevent you from receiving the bounty, so for that reason we recommend you submit there first.
If you are a customer and want to inquire about authorized security testing, please get in touch with your customer success manager.
Reporting A Security Concern
Please report issues to: security@uptycs.com.
If you are reporting a sensitive vulnerability or information, we recommend that you use PGP/GPG to encrypt the content of your email.
If you contact us via an encrypted message, we will not reply with any content of your email in clear-text. If you provide a public key, we will reply using it. If you do not provide a public key, we will not respond with any details that could expose what has been reported, we will simply acknowledge receiving it and we will sign the message.
Our PGP key can be found on the OpenPGP.org website.
This is the Uptycs Security PGP key, valid until January 1st, 2022.
- Key Size: 4096
- Fingerprint: 1E600ACB6590E4D3AA463E90F154C3E8D2349862
