UpKeep Security Compliance

At UpKeep, we understand that the protection of our customer’s data is of the highest importance. Therefore, we have implemented a security program founded upon the ideas of security in depth and continuous improvement and have deployed security controls designed to ensure that customer data is protected against unauthorized access.

As a provider of SaaS based applications, we enable our customers to focus on their maintenance without worrying about infrastructure, scaling, security, and operations.

Our DevOps team, in concert with the rest of our engineering organization, maintains our application infrastructure including vendor patch management, UpKeep application security, network security, and overall application availability.

UpKeep has plans to have a SOC2 Type II report available to our customers by the end of 2023 to help customer security and compliance personnel with better understanding our security posture and the controls we have in place to protect customer data.

1. Security Assessments and Compliance

1.1 Data Centers

UpKeep’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes Amazon Web Service (AWS) technology. AWS operates a world-class security program that is audited against numerous standards for compliance and security. For detailed information related to AWS security and compliance please visit AWS Datacenter Controls.

1.2 PCI Data Handling

We use payment processor Stripe for encrypting and processing credit card payments. Stripe is PCI Level 1 compliant. UpKeep does not receive, handle, or store credit card numbers (PANs), CCVs, or expiry dates. We broker the connection between the customer and Stripe but do not otherwise interact with Credit Card information at all.

2. Physical Security

UpKeep’s applications are hosted in AWS data centers. For more information about AWS datacenter Physical Security please visit their data center controls page here.

3. Network Security

3.1 Firewalls

UpKeep utilizes AWS Security Group rules to control communication between external sources (internet) and our application servers as well as between applications servers and data stores. AWS Security Group rules deny all inbound traffic by default and must be configured by UpKeep DevOps personnel to allow communications.

UpKeep also utilizes web application firewalls to filter inbound traffic against potential attacks.

We perform regular internal audits with AWS Trusted Advisor and AWS Guard Duty to ensure continued compliance.

3.2 DDoS Mitigation

AWS provides DDoS mitigation capabilities for all of its clients. In addition to the capabilities AWS offers, UpKeep also utilizes Cloudflare for an additional layer of DDoS protection.

3.3 Intrusion Detection & Logging

UpKeep uses a variety of logging tools to ensure that proper auditing can be conducted in the case of a suspected intrusion.

1. AWS Guard Duty

1. AWS Config

1. AWS CloudTrail

1. AWS Trusted Advisor

1. AWS CloudWatch

1. VPC Network Flow Logging (immutable)

1. Instana

1. Sysdig

1. Loggly

1. MongoDB Atlas

3.5 Administrative Access

Access to the systems and infrastructure that hosts UpKeep’s applications and data stores is limited to personnel with a need for access as part of job duty. Access is protected by enforced MFA

4. Data Security

Customer data is tied via unique account identifiers to the customer account. Data is encrypted at rest and while in transit over public networks.

5. System Security

5.1 System Vulnerability Management

UpKeep utilizes AWS technologies to automatically and rapidly scale up and scale down our application infrastructure. New application compute resources are built from AWS managed images. AWS maintains these managed images to ensure that they remain up to date with security patches as they are released from the vendor. As traffic levels wane, these compute resources are brought offline - oldest first. Generally speaking, our application compute resources go through this scaling process during each work day. This has the effect of delivering up to date security patches at a minimum with each business day.

5.2 System Authentication

UpKeep has designed our operational infrastructure to reduce the potential attack footprint. Application compute resources are not directly accessible to anyone for remote access. To access compute resources, Operations personnel must first gain remote access to a “Bastion host”. Access to UpKeep Bastion hosts is filtered to only allow access originating from IP addresses controlled by UpKeep operations personnel. UpKeep utilizes multi-factor authentication to protect our infrastructure against account based attacks.

5.3 Penetration Testing

UpKeep partners with reputable 3rd party security firms to conduct annual penetration testing. As with all vulnerabilities, results from penetration testing are prioritized for remediation based upon risk to UpKeep and our customers.

6. Backups

6.1 Application Data Stores

UpKeep protects the information stored in our data stores through several protection mechanisms. All data snapshots or backups are stored encrypted at rest. UpKeep has designed our data backup policies to allow for data recovery in the case of loss or corruption.

7. Disaster Recovery

Upkeep has designed our application infrastructure to be resilient to most sources of unplanned outages including data center outages. We utilize multi-AZ (AWS Availability Zone) architectures and in most cases have the capacity to recover from an event without any impact to customers.

8. Incident Response

UpKeep has developed a formal incident response process and has specific assigned roles for incident response. Our security incident response process includes processes for notifying impacted customers in the case of a data breach within two business days of confirmation of actual or plausible breach.