1. Scope

This policy has been prepared to provide a clear understanding of the data storage and security model within the Uptick Platform, covering our generally available products.

Should any conflicts in documents exist the Uptick Agreed Terms of Use should be relied upon.

The Uptick executive team, management, employees and Uptick contractors alike, have read, acknowledged and agree to abide by this data security and availability policy.

The uptick data security policy defines our approach to securing your data.

2. Your obligations in securing platform data

Communicating over the internet has inherent risks. As you will read below we have put many protocols in place however users should also implement strict security profiles within their organisation including but not limited to anti-virus software if you use the Windows operating system, up-to-date operating systems, and usage of secure evergreen browsers (Mozilla Firefox or Google Chrome).

Generally speaking the greatest data security risk is social, eg unauthorised access to the system provided by a current or former employee of an organisation. The Uptick platform provides strong data security protocols allowing you to minimise data theft and misuse.

PASSWORD MANAGEMENT

To access the Uptick Platform users require a Username and Password. New users are provided access details typically by internal administrative users. Users have the ability to change their password as required. You and your employees are responsible for the security and confidentiality of personal login usernames and passwords.

You are responsible to lockout employees when they leave your business.

Password rotation is NOT encouraged as per the NIST security guidelines. Strong password use IS encouraged, and the strength of the password is displayed on all forms that deal with passwords. A minimum password strength and common password prevention are enforced.

SECURITY GROUPS

Uptick provides customisable Security Groups allowing you to assign permissions to your users tailored to your organisation. We strongly recommend you invest time in understanding and structuring your user groups to minimise all data security risks.

3. Uptick internal security controls

Uptick has implemented the following internal security protocols.

Physical controls including:

• security log and keypad access into the Uptick building
• security and alarm system enabled with 24/7 monitoring
• company equipment is secured and locked nightly

Technological controls including:

• instituted controls on appropriate password strength required to log into all company equipment
• implementing security logs of access to customer platform access
• using firewall and encryption technologies to protect the gateways and pipelines
• limiting employee access to only the relevant systems required within scope of each employee's role or responsibility
• limiting and monitoring access to support gateway is through approved Uptickhq.com username and password using industry standard encryption technologies
• electronic logs and controls of platform access
• regulating all employee system controls and access
• logging, monitoring and tracking transmissions in a manner that is commercially reasonable (up to 12 months historical log information)

Process Controls including:

• policy and procedures dictating the access, usage and disclosure of customer information
• manager appointed for security control and auditing
• restrictions of access to server keys and logs
• review and investigations into any reported security issues provided by hosting provider and software providers
• Notification process of any security breaches to customers directly via email and tagged on the Uptick Status Page.

4. Standard Operating Environment for internal machines

Uptick staff operate from a Standard Operating Environment, either Mac OS or specific approved versions of Linux. Both operating systems are configured to receive automatic updates. Uptick staff primarily use Macbook or Macbook Pro’s with at-rest encryption, ensuring that a stolen Macbook cannot be used to access Uptick’s system or access any customer data that may have been temporarily stored on a machine.

Uptick does not allow staff to use anti-virus, as research increasingly points to third party anti-virus as an increasingly attractive threat vector given it’s access to the core system.

5. Data hosting security

Uptick invest in technological, physical and procedural processes to protect the security of our customers data. Uptick have invested heavily with Amazon Web Services (AWS) since inception due to security and scalability of the AWS System.

Amazon are one of the global leaders in hosting technology, used by many of the leading banks, governments, corporations and internet sites globally. They lead the market in security of hosting environment starting with physical security controls which include 24/7/365 monitoring and surveillance, on-site security staff and regular ongoing security audits.

Amazon resources (specifically EC2 and RDS) are configured for automatic rolling upgrades, and security patching is handled by the AWS security team. We use kubernetes and containers to serve customer requests. These containers are immutable and thus provide a low surface area for traditional hacking operations.

Uptick host within the AWS S3, EC2, and ECS environments. This S3 environment supports security standards and compliance certifications including PCI-DSS, HIPAA/HITECH, FedRAMP, SEC Rule 17-a-4, EU Data Protection Directive, and FISMA, helping satisfy compliance requirements for virtually every regulatory agency around the globe.

Amazon EBS encryption offers an advanced encryption solution restricting who can access the storage environment. All data encrypted at rest uses an AES-256, block-level storage encryption. Keys are managed by Amazon, the individual volume keys are stable for the lifetime of the volume. This security forces HTTPS for all traffic, SSL keys by LetsEncrypt rotated every 90 days. For full details of the security environment instituted by AWS please view the white paper.

Uptick institute tight controls internally as who has access into the AWS environment, limited to those members of the team involved in devops.

6. Availability

Uptick provides all customers with a “highly available” service with all key components of the infrastructure hosted across multiple UK data centers, including the load balancers, database servers, caching servers, data storage, and background processing servers. For scheduled downtime this allows Uptick to provide rolling upgrades each month with less than a minute of downtime. Unscheduled downtime can occur, but Uptick can provide an SLA guaranteeing an uptime of 99.5%.

All data storage is encrypted at rest and stored in a highly durable environment, providing a 99.999999999% durability (11 nines).

7. Location of hosted data

Uptick exclusively uses Amazon Web Services (AWS) for the Primary Storage location for Customer Data (database and documents).

• Primary Storage is defined as your data "at rest" and includes your customer database (data uploaded or entered) and all documents (files uploaded).
• Temporary Data is defined as derivatives generated from your Primary Storage necessary to deliver the Product, including image thumbnails and PDF previews.
• Backups are defined as snapshots of your data at a point in time.

Primary Storage adheres to strict data sovereignty requirements (Data Sovereignty Zone): customers from Australia or New Zealand will use the "ap-southeast-2" AWS Region located in Sydney. Customers from the UK will use the "eu-west-2" AWS Region located in London. Customers from the US or Canada will use the "us-west-1" AWS Region.

Backups (database and files) are stored within your Data Sovereignty Zone, however, these backups may be temporarily transferred out of your Data Sovereignty Zone by our engineering team  should a support request not be able to be resolved by our support team (these instances are incredibly rare).

Temporary Data is generated (and if necessary) cached) within your Data Sovereignty Zone, with exceptions for third party services like Microsoft Office 365 Word Document previews where Uptick do not have control over the location used.

8. Access to your data and backups

Uptick allows customers to download most of their data via CSV through the Product itself.

Customers can also initiate a database backup through their Control Panel, which for a fee, can be restored by our support team.

Uptick also maintains a rolling backup of the customer database on a highly durable read-only storage service (Amazon S3) to minimise the risk to the customer of any cyber security or data centre incident impacting the integrity or availability of the customer database.

9. SLA of the platform

For the SLA and remedy available to you, please refer to your customised SLA agreement. The SLA must be purchased separately in addition to the dedicated hosting option.

10. Updates to policy

Uptick reserves the right to change this Policy at any time. Any changes will become effective immediately upon publishing to the Uptickhq.com website. We will communicate all changes through the Uptick Blog and release notes (indicated by the rotating star) provided within the platform to all users, excluding end-customer portal logins.

Policy last updated: May 2019

11. If you have a request or complaint

To protect your data and the privacy of your users, we will need evidence of your identity before we can grant access to information or change settings for you.

We undertake to respond to complaints and requests within 5 working days and resolve it within 10 working days. If the request or complaint will take longer to resolve, we will provide you with a date by which we expect to respond.

12. Contact us

Should any items not be addressed in the above statement, please email support@uptickhq.com with any privacy concerns.