As a vendor in the cyber security space, Uptycs knows how important it is to protect what customers entrust us with.

To achieve these goals, we have multiple controls in place, and we are working towards achieving compliance to various standards, including SOC 2.

Uptycs monitors evolving regulations, threats, and customer requirements to ensure that our security is ever improving, ensuring that the service is safe, customer data remains confidential, and that the service’s availability minimizes downtime for customers.

Continue reading below to learn more about our security practices and policies. Or, click the quick-link below to jump to a specific section: 


Customers with additional questions are encouraged to submit them via the Uptycs support portal.

Access Management

Uptycs support various authentication portals over SAML, ensuring that customers are able to leverage their existing environments, accounts, password policies and Two-Factor Authentication.

Uptycs provides multiple different roles for customers to configure, as well as a toggle to allow or deny support access to a customer’s account.

Internally, Uptycs leverages a combination of the following to protect access to the production infrastructure:

  • Two-Factor Authentication
  • VPNs
  • SSH keys
  • Network segmentation and firewalling

Encryption in Transit and at Rest

All endpoint and cloud management traffic to Uptycs is encrypted using TLS 1.2 or better. Clear-text HTTP is used to redirect to HTTPS.

Data stored on Uptycs is encrypted at rest using native features of AWS.

Application and Osquery Package Security

The Uptycs osquery agent is based on the open source version but built, maintained, packaged, signed and distributed by Uptycs. Customers can deploy the agent using existing tools, and can chose to update it themselves or leverage Uptycs to auto-update the agents.

Development of our cloud platform follows a strict code review process for all components with an impact on security.

Potential issues can be reported by anyone. Customers with a specific concern can leverage regular support channels as well.

Physical Security

Uptycs customer data and production environments are located in AWS, which feature multiple physical security controls.

Data is also encrypted at rest, to protect against potential failures in physical security.

Monitoring

Uptycs leverages different tools and processes, including using our own service, to detect and respond to potential attacks on our systems.

External Testing and Vulnerability Scanning

Uptycs performs regular penetration testing engagements with external vendors, and treats the findings like any other vulnerability by prioritizing resolution based on multiple factors, including ease of exploitation, impact, and probability of exploitation.

Uptycs uses an external vendor for vulnerability scanning, and uses the Uptycs product for Linux vulnerability management.

Uptycs is also in the process of achieving SOC 2 compliance. One that is achieved, a recurring engagement to re-certify compliance will be implemented.

Incident Notification

If a security incident impacting customer data is detected, affected customers will be contacted as soon as the incident is confirmed. As an investigation processes and more is known about what could be impacted, customers would be kept up to date about the status of the investigation, when significant milestones are reached. We aim to contact customers within 72 hours of the detection of an incident, with preliminary details.

Customer Data Access and Removal

Access to customer data is controlled by customers at the application level, for support purposes. Access to the infrastructure hosting the data is managed on a strict “required for operations” manner. Customer data is encrypted at rest to protect against stolen hardware or snapshots of media.

Customer data is constantly removed as per the retention policy agreed upon.

On contract termination, data is kept for a maximum of 45 days, to ensure a customer can sign back up again and not lose their environment.

Physical media destruction is handled by AWS, which decommissions media as per techniques detailed in NIST 800-88, and Uptycs uses data at rest encryption to protect against failures in these controls.

Availability

Uptycs leverages multiple availability features, such as highly available AWS datacenters with redundant power, multiple availability zones, redundant data and load balancing to ensure the service’s availability is as good as possible. 

Additionally, the agent itself will cache data if unable to reach the service, and will resume once the service is available against. This is not only useful for potential service issues or maintenance, but for systems that are not permanently connected to the Internet, like laptops, as well as to ensure Internet access issues on the customer side have a lesser impact.

Systems are monitored for availability, with the capacity to automatically warn operations teams if service degradation is detected.

Uptycs backs up critical data and tests restoration regularly, to ensure disaster recovery plans are effective.

Planned maintenance or downtime is announced to customers in advance, via regular support channels.

Service level objectives or agreements can be found in your service agreement.

Compliance

Uptycs is currently in the process of becoming SOC 2 compliant. This page will be updated with relevant information as necessary.

Report a Security Concern

To report a security concern, or for more information on vulnerability disclosures, visit www.uptycs.com/security-reports