Security

Security is one of our biggest priorities here at Upflow. On this page we have provided information about the security of your data and our general security practices.

HR/Corporate Policies

  • We run background checks on all incoming employees, or contractors who will be working with Upflow, before starting at the Company.
  • All employees sign confidentiality agreements to protect customer information.
  • Support staff do not have access to fine-grained customer data, instead they rely on metadata to provide support.
  • Developers participate in regular security training to learn about common vulnerabilities and threats.

Infrastructure Security

  • Our datacentres are hosted in the EU (Ireland) by AWS. They are ISO 27001, 27017, 27018 and SOC 1, 2, 3 Compliant.
  • All data is encrypted in transit using TLS 1.3, sensitive data is encrypted at rest using a symmetric key algorithm.
  • We use Distributed Denial of Service (DDoS) mitigation services powered by Cloudflare.

Data Protection

  • We use continuous protection and master-slave replication to protect against any database failures.
  • We perform automatic, nightly backups of all customer data.

Audits

  • We undergo an annual third-party penetration test and source code audit of our production services.
  • Security review is an integral part of our development lifecycle, incorporated into our design, implementation, and test processes.
  • We're listed in the Quickbooks App Store and have cleared all mandatory security audits required by Intuit.

Threat and Vulnerability Management

  • We have automated systems to inventory installed software and software versions on production systems.
  • All high-risk vulnerabilities are addressed within 90 days of discovery. Most medium-risk vulnerabilities are addressed within 180 days of discovery.
  • We welcome feedback from the security community and strive to quickly address security issues involving our products and services. Please report security issues to security@upflow.io in accordance with our bug bounty programme

Insurance

  • In addition to following industry standard security best practices, we have a comprehensive cyber insurance policy provided by AIG.
  • We have corporate liability insurance, that covers employee negligence and fraud. And cyber risk insurance that covers attacks from third parties.
  • Our insurance covers any damages incurred by our customers as a result of an attack on Upflow. We review the liability amount on a yearly basis as we grow the business.