This policy has been prepared to provide a clear understanding of the data storage model within the Uptick Platform. The Uptick Platform consists of four interoperable systems;
This document should be understood as accompanying the following documents which together form the Uptick Data Policy
The Uptick executive team, management, employees and Uptick contractors alike, have read, acknowledged and agree to abide by this data security and availability policy.
Your obligations in securing platform data
Communicating over the internet has inherent risks. As you will read below we have put many protocols in place, however, users should also implement strict security profiles within their organisation including but not limited to anti-virus software, up-to-date operating systems, and usage of secure evergreen browsers (firefox or chrome).
Generally speaking, the greatest data security risk is social, a current or former employee of an organisation. The Uptick platform provides strong data security protocols allowing you to minimise data theft and misuse.
To access the Uptick Platform users are required a Username and Password. New users are provided access details typically by internal administrative users. Users have the ability to change their password as required. You and your employees are responsible for the security and confidentiality of personal login usernames and passwords.
You are responsible to lockout employees when they leave your business.
Password rotation is NOT encouraged as per the NIST security guidelines. Strong password use IS encouraged but not enforced, the password strength is displayed on all change password screens.
User Security Groups
Uptick provides Security Groups allowing groups to be created from which view, access and export rights of data can be managed and controlled. We strongly recommend you invest time in understanding and structuring your user groups to minimise all data security risks.
Uptick internal security controls
Uptick has implemented the following internal security protocols.
Physical Controls including:
- security log and keypad access into the Uptick building
- security and alarm system enabled with 24/7 monitoring
- company equipment is secured and locked nightly
Technological Controls including:
- instituted controls on appropriate password strength required to log into all company equipment
- implementing security logs of access to customer platform access
- using firewall and encryption technologies to protect the gateways and pipelines
- limiting employee access to only the relevant systems required within scope of each employee’s role or responsibility
- limiting and monitoring access to support gateway is through approved Uptickhq.com username and password
- using industry standard encryption technologies
- electronic logs and controls of platform access
- regulating all employee system controls and access
- logging, monitoring and tracking transmissions in a manner that is commercially reasonable (up to 12 months historical log information)
Process Controls including:
- policy and procedures dictating the access, usage and disclosure of customer information
- manager appointed for security control and auditing
- restrictions of access to server keys and logs
- review and investigations into any reported security issues provided by hosting provider and software providers
- Notification process of any security breaches to customers directly via email and tagged on the Uptick Blog and Status page
Data hosting security
Uptick invests in technological, physical and procedural processes to protect the security of our customers’ data. Uptick have invested heavily with Amazon Web Services (AWS) since inception due to security and scalability of the AWS System.
Amazon are one of the global leaders in hosting technology, used by many of the leading banks, governments, corporations and internet sites globally. They lead the market in security of hosting environment starting with physical security controls which include 24/7/365 monitoring and surveillance, on-site security staff and regular ongoing security audits.
Uptick host within the AWS S3, EC2, and ECS environments. This S3 environment supports security standards and compliance certifications including PCI-DSS, HIPAA/HITECH, FedRAMP, SEC Rule 17-a-4, EU Data Protection Directive, and FISMA, helping satisfy compliance requirements for virtually every regulatory agency around the globe.
Should you require Information Security Registered Assessors Program (IRAP) for hosting of Australian Government data as stipulated in some tenders this can be provided at additional cost.
Amazon EBS encryption offers an advanced encryption solution restricting who can access the storage environment. All data encrypted at rest uses an AES-256, block-level storage encryption. Keys are managed by Amazon, the individual volume keys are stable for the lifetime of the volume. This security forces HTTPS for all traffic, SSL keys by LetsEncrypt rotated every 90 days. For full details of the security environment instituted by AWS please view white paper here
Uptick institute tight controls internally as who has access into the AWS environment with only two employees able to gain AWS environment access, the CTO and CEO. Additional protocol is in place incase of nonattendance.
Location of hosted data
Uptick host exclusively within AWSs’ Asia Pacific Sydney data center. All backups and redundancy processes also remain located within Australia in a secondary data center also located within Sydney.
Using the Uptick Platform you are guaranteed your primary data resides exclusively within Australia.
However, as is common with modern software Uptick utilises some third parties for ancillary software. Of these, Cloudinary are used to cache images for the Uptick Mobile application. This service is used for speed and access of images irrespective of where the user (typically Uptick App user) is located.
Access to your data and backups
Uptick provides for downloading of static data from the Uptick system in a csv table format. As discussed earlier we strongly recommend User Group profiling be enabled and exporting of data be limited to specific users. Literally all databases and files can be downloaded using this mechanism.
Transactional and historical data can be accessed via database backups only. Being a cloud based system Uptick automatically generates to-the-minute backups. These are typically a straight 24 hour rolling window, the database doesn’t care about non-business days and holidays. Uptick take rolling database backups with a 30 day rollback period, and twice daily backups which run at 1pm and 6pm AEST. These backups are available for 60 days. Backups are in an SQL table format.
If access to backup data is required, due to security protocols, these requests will need to be requested from Uptick. Upon request Uptick may for a fee download the backups from AWS and can then burn the downloaded backups to HDD or push to an FTP.
Availability and SLA of the platform
Uptick take all commercially reasonable efforts to keep the Uptick platform available 99.9% of the time. Subject to the exclusions below, Uptick shall ensure that the Software has no less than 99.5% Uptime (as defined herein). “Uptime” means the Software is operational and is available to communicate with the internet.
1. Remedy: If the level of Uptime is not provided, as Customer’s sole and exclusive remedy, the Customer will be entitled to a credit (subject to the applicable procedures in this Agreement) in accordance with the schedule below. Credits may only be used towards future invoices from Uptick, and shall not entitle Customer to a cash refund of any kind, even if the Agreement is terminated or expires before use of all of Customer’s credits.
Uptime Level Available Credit
99.0%-99.5% Credit equal to 10% of monthly fees
99.0%-98.5% Credit equal to 20% of monthly fees
98.5%-98.0% Credit equal to 30% of monthly fees
98.0%-97.5% Credit equal to 40% of monthly fees
Below 97% Credit equal to 50% of monthly fees
2. Exclusions. This credit does not apply to the extent that the failure to achieve the Uptime is due or relates to:
- scheduled maintenance or downtime,
- any modifications or alterations of the Software made by any individual or entity other than Uptick or its authorized agents;
- any violation of the Agreement by Customer or it’s Users;
- any unavailability that cannot be reasonably recreated by Uptick;
- Customer’s failure to comply with the documentation published for the Software;
- any third party software;
- the Public Circuit (as defined below);
- failures due to Force Majeure events; and/or Customer’s or its Users’ inability to access the Software due to problems with software, hardware, telecommunications, or networking equipment located in Customer’s or its Users’ own facilities, including internet connection.
“Public Circuit” means the third party provided circuits, overland and/or submarine cabling, and other connectivity infrastructure from a point of demarcation starting immediately after the ingress/egress router or similar appliance at Customer’s or its User’s site to the point immediately before the ingress/egress router or similar appliance at the facility used by Uptick to host the Software.
Updates to policy
Uptick reserve the right to change this Policy at any time. Any changes will become effective immediately upon publishing to the Uptickhq.com website. We will communicate all changes through the Uptick Blog and release notes (indicated by the rotating star) provided within the platform to all users, excluding end-customer portal logins.
Policy last updated: October 2017
If you have a request or complaint
To protect your data and the privacy of your users, we will need evidence of your identity before we can grant access to information or change settings for you.
We undertake to respond to complaints and requests within 5 working days and resolve it within 10 working days. If the request or complaint will take longer to resolve, we will provide you with a date by which we expect to respond.
Please Contact us about your privacy concerns should any items not be addressed in the above statement.