Security

Security is one of our biggest priorities here at Upflow. On this page we have provided information about the security of your data and our general security practices.


Compliance

  • Upflow is SOC-2 Type 1 compliant (security, availability & confidentiality).

  • We are also GDPR compliant.

  • The documents relating to the above are available upon request.


HR/Corporate Policies

  • We run background checks on all incoming employees, or contractors who will be working with Upflow, before starting at the Company.

  • All employees sign confidentiality agreements to protect customer information.

  • Support staff do not have access to fine-grained customer data, instead they rely on metadata to provide support.

  • Developers participate in regular security training to learn about common vulnerabilities and threats.


Infrastructure Security

  • Our datacentres are hosted in the EU (Ireland) by AWS. They are ISO 27001, 27017, 27018 and SOC 1, 2, 3 Compliant.

  • All data is encrypted in transit using TLS 1.3, sensitive data is encrypted at rest using a symmetric key algorithm.

  • We use Distributed Denial of Service (DDoS) mitigation services powered by Cloudflare.


Data Protection

  • We use continuous protection and master-slave replication to protect against any database failures.

  • We perform automatic, nightly backups of all customer data.


Audits

  • We undergo an annual third-party penetration test and source code audit of our production services.

  • Security review is an integral part of our development lifecycle, incorporated into our design, implementation, and test processes.

  • We're listed in the QuickBooks App Store and have cleared all mandatory security audits required by Intuit.


Threat and Vulnerability Management

  • We have automated systems to inventory installed software and software versions on production systems.

  • All high-risk vulnerabilities are addressed within 30 days of discovery. Most medium-risk vulnerabilities are addressed within 90 days of discovery.

  • We welcome feedback from the security community and strive to quickly address security issues involving our products and services. Please report security issues to [email protected] in accordance with our bug bounty programme


Insurance

  • In addition to following industry standard security best practices, we have a comprehensive cyber insurance policy provided by Clear Blue Insurance Group.

  • We have corporate liability insurance, that covers employee negligence and fraud. And cyber risk insurance that covers attacks from third parties.

  • Our insurance covers any damages incurred by our customers as a result of an attack on Upflow. We review the liability amount on a yearly basis as we grow the business.