Privacy & Security
Key Features and SupportInformation Security Program
UpMetrics maintains a robust Information security program which consists of policies, procedures, and controls to maintain the confidentiality, integrity and availability of information and information assets. Compliance UpMetrics policies, procedures, and standards are in accordance with applicable industry standards such as the ISO 27001 and the SOC 2 Trust Service principles and criteria. Encryption and Logical Separation The Cloud Service (AWS) stores content encrypted at rest. This is done leveraging enterprise grade encryption industry standards employed on the storage backend. Communications between Customer’s endpoints and the Cloud Service (AWS) are encrypted in-transit with appropriate encryption standards for data in motion. The Cloud Service (AWS) includes logical separation of data between customers. In all cases, UpMetrics has implemented controls designed to prevent one customer from gaining unauthorized access to another customer’s data. UpMetrics Service Infrastructure Access Management Least Privilege Access to the systems and infrastructure that support the Cloud Service (AWS) is restricted to individuals who require such access as part of their job responsibilities. Unique User Identification Unique User IDs are assigned to such individuals as part of their hiring and onboarding process. Password requirements The password policy for the Cloud Service adheres to UpMetrics password requirements and is in accordance with industry standards, and best practices. Access Reviews Access reviews are performed on a periodic basis, Access privileges of terminated UpMetrics personnel are disabled promptly. Access privileges of persons transferring to jobs requiring reduced privileges are adjusted accordingly. Remote Access Review & Networking Appropriate security measures and controls are utilized for remote administration points of access to the Cloud Service (AWS) production environment. All access to the Cloud Service networks and sensitive information requires authentication and other access related security controls such as MFA and regularly rotated keys. Vulnerability Management The latest applicable patches and updates are applied promptly after becoming available and being tested in the Cloud Service’s pre-production environments. Potential impacts of vulnerabilities are evaluated by UpMetrics engineers. Security Operations monitors or subscribes to trusted sources of vulnerability reports and threat intelligence. Penetration tests by independent third parties are conducted at least annually. Detailed results from external penetration tests are not distributed or shared with anyone other than UpMetrics employees with a need to know. Redacted summaries are available with appropriate non-disclosure agreements in place. Secure Software Development UpMetrics Software Development Life Cycle (SDLC) framework is based on industry standards such as the OWASP, which ensures that secure design practices are integrated directly into the design and development process of the UpMetrics systems Risk Management UpMetrics maintains a risk management program based on industry guidance. UpMetrics conducts risk assessments of various scope throughout the year, including self and third-party assessments and tests, automated scans, and manual reviews. Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources. Security Training and Personnel UpMetrics maintains a security awareness program for UpMetrics personnel, which provides initial education, ongoing awareness, and individual personnel acknowledgment of intent to comply with UpMetrics’s corporate security policies. New hires complete initial training on security, sign a proprietary information agreement, and digitally sign the information security policy that covers key aspects of the UpMetrics information security policy. All UpMetrics personnel are required to satisfactorily complete security training annually. Notification of Security Breach UpMetrics will notify customers in writing within seventy-two (72) hours of confirmed security breach. Notifications will summarize the known details of the Security Breach and the status of UpMetrics’s investigation. UpMetrics will take appropriate actions to contain, investigate, and mitigate any such Security Breach. Availability and Disaster Recovery UpMetrics maintains a Disaster Recovery Plan (DRP) for the Cloud Service. The DRP is tested annually. UpMetrics also maintains policies, procedures, and security controls to ensure the continuity of critical business functions in the event of a catastrophic event. This includes data center resiliency and data redundancy for the UpMetrics Cloud service Vulnerability Reporting In accordance with reasonable disclosure, we continue to respond to submitted security issues and encourage anyone to report bugs on our platform. To submit a bug for review, please send an email to security@upmetrics.com |
