Free download: Field technician benefits & retention guide - get your copy here.
Understand our multi-layer approach to securing your data within our technical and business infrastructure.
This policy has been prepared to provide a clear understanding of the data storage and security model within the Uptick Platform, covering our generally available products.
Should any conflicts in documents exist the Uptick Agreed Terms of Use should be relied upon.
The Uptick executive team, management, employees and Uptick contractors alike, have read, acknowledged and agree to abide by this data security and availability policy.
The uptick data security policy defines our approach to securing your data.
Communicating over the internet has inherent risks. As you will read below we have put many protocols in place however users should also implement strict security profiles within their organisation including but not limited to anti-virus software if you use the Windows operating system, up-to-date operating systems, and usage of secure evergreen browsers (Mozilla Firefox or Google Chrome).
Generally speaking the greatest data security risk is social, eg unauthorised access to the system provided by a current or former employee of an organisation. The Uptick platform provides strong data security protocols allowing you to minimise data theft and misuse.
To access the Uptick Platform users require a Username and Password. New users are provided access details typically by internal administrative users. Users have the ability to change their password as required. You and your employees are responsible for the security and confidentiality of personal login usernames and passwords.
You are responsible to lockout employees when they leave your business.
Password rotation is NOT encouraged as per the NIST security guidelines. Strong password use IS encouraged, and the strength of the password is displayed on all forms that deal with passwords. A minimum password strength and common password prevention are enforced.
Uptick provides customisable Security Groups allowing you to assign permissions to your users tailored to your organisation. We strongly recommend you invest time in understanding and structuring your user groups to minimise all data security risks.
Uptick has implemented the following internal security protocols.
Physical controls including:
Technological controls including:
Process Controls including:
Uptick staff operate from a Standard Operating Environment, either Mac OS or specific approved versions of Linux. Both operating systems are configured to receive automatic updates. Uptick staff primarily use Macbook or Macbook Pro’s with at-rest encryption, ensuring that a stolen Macbook cannot be used to access Uptick’s system or access any customer data that may have been temporarily stored on a machine.
Uptick does not allow staff to use anti-virus, as research increasingly points to third party anti-virus as an increasingly attractive threat vector given it’s access to the core system.
Uptick invest in technological, physical and procedural processes to protect the security of our customers data. Uptick have invested heavily with Amazon Web Services (AWS) since inception due to security and scalability of the AWS System.
Amazon are one of the global leaders in hosting technology, used by many of the leading banks, governments, corporations and internet sites globally. They lead the market in security of hosting environment starting with physical security controls which include 24/7/365 monitoring and surveillance, on-site security staff and regular ongoing security audits.
Amazon resources (specifically EC2 and RDS) are configured for automatic rolling upgrades, and security patching is handled by the AWS security team. We use kubernetes and containers to serve customer requests. These containers are immutable and thus provide a low surface area for traditional hacking operations.
Uptick host within the AWS S3, EC2, and ECS environments. This S3 environment supports security standards and compliance certifications including PCI-DSS, HIPAA/HITECH, FedRAMP, SEC Rule 17-a-4, EU Data Protection Directive, and FISMA, helping satisfy compliance requirements for virtually every regulatory agency around the globe.
Amazon EBS encryption offers an advanced encryption solution restricting who can access the storage environment. All data encrypted at rest uses an AES-256, block-level storage encryption. Keys are managed by Amazon, the individual volume keys are stable for the lifetime of the volume. This security forces HTTPS for all traffic, SSL keys by LetsEncrypt rotated every 90 days. For full details of the security environment instituted by AWS please view the white paper.
Uptick institute tight controls internally as who has access into the AWS environment, limited to those members of the team involved in devops.
Uptick provides all customers with a “highly available” service with all key components of the infrastructure hosted across multiple UK data centers, including the load balancers, database servers, caching servers, data storage, and background processing servers. For scheduled downtime this allows Uptick to provide rolling upgrades each month with less than a minute of downtime. Unscheduled downtime can occur, but Uptick can provide an SLA guaranteeing an uptime of 99.5%.
All data storage is encrypted at rest and stored in a highly durable environment, providing a 99.999999999% durability (11 nines).
Uptick exclusively uses Amazon Web Services (AWS) for the Primary Storage location for Customer Data (database and documents).
Primary Storage adheres to strict data sovereignty requirements (Data Sovereignty Zone): customers from Australia or New Zealand will use the "ap-southeast-2" AWS Region located in Sydney. Customers from the UK will use the "eu-west-2" AWS Region located in London. Customers from the US or Canada will use the "us-west-1" AWS Region.
Backups (database and files) are stored within your Data Sovereignty Zone, however, these backups may be temporarily transferred out of your Data Sovereignty Zone by our engineering team should a support request not be able to be resolved by our support team (these instances are incredibly rare).
Temporary Data is generated (and if necessary) cached) within your Data Sovereignty Zone, with exceptions for third party services like Microsoft Office 365 Word Document previews where Uptick do not have control over the location used.
Uptick allows customers to download most of their data via CSV through the Product itself.
Customers can also initiate a database backup through their Control Panel, which for a fee, can be restored by our support team.
Uptick also maintains a rolling backup of the customer database on a highly durable read-only storage service (Amazon S3) to minimise the risk to the customer of any cyber security or data centre incident impacting the integrity or availability of the customer database.
For the SLA and remedy available to you, please refer to your customised SLA agreement. The SLA must be purchased separately in addition to the dedicated hosting option.
Uptick reserves the right to change this Policy at any time. Any changes will become effective immediately upon publishing to the Uptickhq.com website. We will communicate all changes through the Uptick Blog and release notes (indicated by the rotating star) provided within the platform to all users, excluding end-customer portal logins.
Policy last updated: May 2019
To protect your data and the privacy of your users, we will need evidence of your identity before we can grant access to information or change settings for you.
We undertake to respond to complaints and requests within 5 working days and resolve it within 10 working days. If the request or complaint will take longer to resolve, we will provide you with a date by which we expect to respond.
Should any items not be addressed in the above statement, please email support@uptickhq.com with any privacy concerns.