As a vendor in the cyber security space, Uptycs knows how important it is to protect what customers entrust us with.
To achieve these goals, we have multiple controls in place, and we are working towards achieving compliance to various standards, including SOC 2.
Uptycs monitors evolving regulations, threats, and customer requirements to ensure that our security is ever improving, ensuring that the service is safe, customer data remains confidential, and that the service’s availability minimizes downtime for customers.
Continue reading below to learn more about our security practices and policies. Or, click the quick-link below to jump to a specific section:
Customers with additional questions are encouraged to submit them via the Uptycs support portal.
Uptycs support various authentication portals over SAML, ensuring that customers are able to leverage their existing environments, accounts, password policies and Two-Factor Authentication.
Uptycs provides multiple different roles for customers to configure, as well as a toggle to allow or deny support access to a customer’s account.
Internally, Uptycs leverages a combination of the following to protect access to the production infrastructure:
All endpoint and cloud management traffic to Uptycs is encrypted using TLS 1.2 or better. Clear-text HTTP is used to redirect to HTTPS.
Data stored on Uptycs is encrypted at rest using native features of AWS.
The Uptycs osquery agent is based on the open source version but built, maintained, packaged, signed and distributed by Uptycs. Customers can deploy the agent using existing tools, and can chose to update it themselves or leverage Uptycs to auto-update the agents.
Development of our cloud platform follows a strict code review process for all components with an impact on security.
Potential issues can be reported by anyone. Customers with a specific concern can leverage regular support channels as well.
Uptycs customer data and production environments are located in AWS, which feature multiple physical security controls.
Data is also encrypted at rest, to protect against potential failures in physical security.
Uptycs leverages different tools and processes, including using our own service, to detect and respond to potential attacks on our systems.
Uptycs performs regular penetration testing engagements with external vendors, and treats the findings like any other vulnerability by prioritizing resolution based on multiple factors, including ease of exploitation, impact, and probability of exploitation.
Uptycs uses an external vendor for vulnerability scanning, and uses the Uptycs product for Linux vulnerability management.
Uptycs is also in the process of achieving SOC 2 compliance. One that is achieved, a recurring engagement to re-certify compliance will be implemented.
If a security incident impacting customer data is detected, affected customers will be contacted as soon as the incident is confirmed. As an investigation processes and more is known about what could be impacted, customers would be kept up to date about the status of the investigation, when significant milestones are reached. We aim to contact customers within 72 hours of the detection of an incident, with preliminary details.
Access to customer data is controlled by customers at the application level, for support purposes. Access to the infrastructure hosting the data is managed on a strict “required for operations” manner. Customer data is encrypted at rest to protect against stolen hardware or snapshots of media.
Customer data is constantly removed as per the retention policy agreed upon.
On contract termination, data is kept for a maximum of 45 days, to ensure a customer can sign back up again and not lose their environment.
Physical media destruction is handled by AWS, which decommissions media as per techniques detailed in NIST 800-88, and Uptycs uses data at rest encryption to protect against failures in these controls.
Uptycs leverages multiple availability features, such as highly available AWS datacenters with redundant power, multiple availability zones, redundant data and load balancing to ensure the service’s availability is as good as possible.
Additionally, the agent itself will cache data if unable to reach the service, and will resume once the service is available against. This is not only useful for potential service issues or maintenance, but for systems that are not permanently connected to the Internet, like laptops, as well as to ensure Internet access issues on the customer side have a lesser impact.
Systems are monitored for availability, with the capacity to automatically warn operations teams if service degradation is detected.
Uptycs backs up critical data and tests restoration regularly, to ensure disaster recovery plans are effective.
Planned maintenance or downtime is announced to customers in advance, via regular support channels.
Service level objectives or agreements can be found in your service agreement.
Uptycs is currently in the process of becoming SOC 2 compliant. This page will be updated with relevant information as necessary.
To report a security concern, or for more information on vulnerability disclosures, visit www.uptycs.com/security-reports