Security
Product Security
At Uptycs, we use Agile principles for a rapid software development lifecycle that emphasizes security throughout. This enables us to discover and remediate software or security issues earlier. Software patches are released continuously, with those impacting end users taking priority. Our continuous integration process, along with well defined change management policies, allow us to respond rapidly to issues with security or functionality in a consistent and thorough manner. With these DevOps practices, Uptycs is able to achieve fast time to resolution.
Physical Security
The Uptycs production infrastructure is hosted in Cloud Service Provider (CSP) environments. As indicated under The Shared Responsibility Model, the physical and environmental security related controls for Uptycs production servers, which includes buildings, physical security measures, and access control, are managed by these CSP’s. Professional security staff restrict physical access at the perimeter and all data center entrances. Authorized staff must pass two-factor authentication two or more times to access the data center.
Corporate Security
All Uptycs personnel are subject to background checks upon employment, and undergo annual security awareness training for technical and non-technical roles. Employee policy emphasizes each employee’s responsibility to help secure our customer data and company assets.
Uptycs requires transport level security for network access and individually authenticates users by way of a central identity provider. We also leverage two factor authentication wherever possible.
Data Protection
Authentication and Access Management
End users may log in to Uptycs using an Identity Provider, leveraging Uptycs’s support for the Security Assertion Markup Language (SAML). This service will authenticate an individual’s identity and may provide the option to share certain personally identifying information with Uptycs, such as your name and email address to pre-populate our sign up form. Uptycs’s SAML support allows organizations to control authentication to Uptycs and enforce specific password policies, account recovery strategies and multi-factor authentication technologies.
Protection of Customer Data
Data submitted to the Uptycs service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer Data is not authorized to exit the Uptycs production service environment, except in limited circumstances such as in support of a customer request.
All data transmitted between Uptycs and Uptycs’ users is protected using Transport Layer Security (TLS 1.2). If encrypted communication is interrupted, the Uptycs application is inaccessible. At rest the customer’s data is stored on encrypted disks. The data is encrypted using industry-standard AES-256 data encryption.
Access to Customer Data is limited to functions with a business requirement to do so. Uptycs has implemented multiple layers of access controls for administrative roles and privileges. Access to environments that contain Customer Data requires a series of authentication and authorization controls, including Multi-Factor Authentication (MFA). Users must first login to a VPN, the user must present a password and an authentication code. Once on the VPN the user must present ssh credentials to login. Access to those environments is monitored and logged for security purposes. Uptycs has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms, and enforces full-disk encryption and unique credentials for workstations.
Uptycs monitors critical infrastructure for security related events by using the Uptycs security analytics platform, alongside a custom implementation of other open source and commercial technologies.
Compliance
Certifications, Attestations and Frameworks
Uptycs maintains active SOC 2 Type II compliance.
Laws and Regulations
Uptycs’s solution is compliant with the data protection laws and regulations applicable to the services we provide. You can learn more about our privacy policy at https://www.uptycs.com/uptycs-privacy-policy
CCPA
Uptycs is a monitoring service for infrastructure and while we do not intend to transfer, process, use, or store personal information, Uptycs can provide our CCPA Addendum so that our customers can fulfill their obligations under the CCPA in the event that personal data is in scope.
GDPR
Uptycs is compliant with the General Data Protection Regulation (GDPR) which went into effect on May 25, 2018. Uptycs has worked to enhance its products, processes, and procedures to meet its obligations as a data processor. For more information about our position on the GDPR, please visit https://www.uptycs.com/gdpr/.
Vendor Management
Uptycs leverages a number of third party applications and services in support of the delivery of our products to our customers. The Uptycs Security Team recognizes that the company’s information assets and vendor dependencies are critical to our continuing operations and delivery of services. As such, Uptycs’ Security team has established a vendor management program that sets forth the requirements to be established and agreed upon when Uptycs engages with third parties or external vendors. These engagements are designed to assess the technical, physical, and administrative controls in place and to ensure they are commensurate with the expectations of Uptycs and its customers.
Sub Processors
| Vendor | Country | Type of Service |
| AWS | United States | Infrastructure Provider |
| Google Cloud Platform | United States | Infrastructure Provider |
| Google Workspace Enterprise | United States | Infrastructure, Document Storage, Email Communication |
| GitHub | United States | Code Hosting Platform |
| Atlassian (Jira) | United States | Development, Internal support collaboration |
| Slack | United States | Messaging services |
| Zoho Desk | United States | Supporting ticket and customer service |
| Clickup | United States | Customer Support |
| HubSpot | United States | Sales and Marketing |
| Salesforce | United States | Sales and Marketing |
| 6Sense | United States | Sales and Marketing |
| Gong | United States | Sales and Marketing |
| Outreach | United States | Sales and Marketing |
| New Breed | United States | Sales and Marketing |
Affiliates
Our affiliate offices operate under the registered name Uptycs India Pvt. Ltd. and are located in Bengalaru, Karnataka and Yerwada, Pune.
Report a Concern
Disclosure
If you need to contact Uptycs about a potential security issue with our product or services, please email security@uptycs.com with the words “Security Concern” in the subject line.
- We will acknowledge receiving the information within 3 business days.
- We will do our best to keep you up to date. If you would like an update or more details regarding your disclosure please do not hesitate to reach back out.
- We will never use the contact information acquired via you sending us information about a security concern for any other purpose than to communicate about this issue, unless you explicitly request that we contact you for other purposes.
This is not a bug bounty program, rather a simple way to allow people who have found potential issues to report them securely.
Uptycs leverages the power of osquery. Bugs found in the open source version of osquery are covered by the Facebook bug bounty. If you have found issues in osquery itself, we appreciate receiving reports and your work to help secure users of open source security tools, and we encourage you to participate in the official bounty. Be aware that if you report an issue to us, we may start working on a fix, and the timing could prevent you from receiving the bounty, so for that reason we recommend you submit there first.
If you are a customer and want to inquire about authorized security testing, please get in touch with your customer success manager.
Reporting A Security Concern
Please report issues to: security@uptycs.com.
