Data security at Uptick

At Uptick, we recognize that our customers entrust us with their most sensitive business information. Our security program is designed to maintain the confidentiality, integrity, and availability of your data through rigorous technical controls and organizational safeguards.

This data security document provides an overview of the Uptick Information Security Management System (ISMS). The Uptick ISMS is the formal framework Uptick uses to manage data security throughout the business, encompassing all security related policies, procedures, and controls.

Uptick is ISO27001 certified – and as part of this certification all documents, policies, procedures, controls and evidence are audited annually by an accredited auditing body. Many elements of our compliance are monitored in real-time and available in our Trust Centre.

1. Hosting & Data Storage

Uptick exclusively uses Amazon Web Services (AWS) for hosting and customer data storage. We categorize data into three types to ensure transparency:

• Primary Storage: Your data "at rest," including your customer database and all uploaded documents.
• Temporary Data: Derivatives generated from your Primary Storage necessary to deliver the Product, such as image thumbnails and PDF previews.
• Customer Backups: Snapshots of your Customer Data at a point in time.

A Data Sovereignty Zone refers to the geographical location of your Primary Storage. Depending on your region, your data is hosted in a specific AWS Region:

• Australia & New Zealand: Sydney (ap-southeast-2)
• United Kingdom & Ireland: London (eu-west-2)
• United States & Canada: Northern California (us-west-1)
• *Note Canada customers will shortly transition to: Calgary (ca-west-1)

Key Sovereignty Principles:

• Location Consistency: Primary Storage remains within your designated Data Sovereignty Zone. Changes to the Data Sovereignty Zone or Data Storage Provider must be notified and agreed upon by the Customer.
• Backup Locality: Backups are stored within your Data Sovereignty Zone. However, these backups may be temporarily transferred out of your zone by our engineering team to resolve complex support escalations.
• Sub-processors: In addition to AWS, Uptick utilizes a vetted group of sub-processors (such as GitHub for source code and Google for enterprise tools) to deliver our services. All third-party vendors are subject to strict management and security reviews.

2. Infrastructure & Service Availability

We target a service availability of 99.9%. Historically, Uptick has maintained an uptime exceeding this target (often 99.99+%), ensuring Uptick is available in the field and in the office 24/7.

• Storage: All data storage is encrypted at rest and stored in a highly durable environment, providing a 99.999999999% durability (11 nines).
• Encryption: All databases and file systems are encrypted at rest using managed keys. All external data transmission is encrypted end-to-end.
• Logical Separation: Customer data is logically separated and stored in separate databases to ensure strict isolation.
• 24/7 Monitoring: A comprehensive monitoring stack is used to track system health and security activities in real time.

3. Business Continuity & Disaster Recovery

Uptick maintains a comprehensive framework to ensure the resilience of our services in the case of a disaster.

• Redundancy: Data is replicated across multiple "Availability Zones" within your data sovereignty zone to protect against localized hardware or facility failures.
• Annual Testing: Our Disaster Recovery framework is not a static document; we perform formal testing and reviews at least annually to ensure our team can respond effectively to unforeseen events.

4. Backup & Restoration

To protect against catastrophic loss, we perform automatic, continuous backups of all customer and system data.

• Point-in-Time Recovery: Data is backed up continuously to allow for precise recovery (e.g. rather than backing up once a day, Uptick creates backups every minute).
• Retention Schedule: We maintain a rolling schedule of snapshots (Daily, Weekly, Monthly) with retention periods ranging from 7 to 45 days.
• Immutability: Backups are encrypted and immutable, meaning they cannot be destroyed until they naturally expire. They are stored separately to “hot” customer data, under a separate Amazon account, eliminating risk of data loss.

5. Internal Security & AI

We maintain internal protocols to ensure your data is only accessed when strictly necessary.

• Access Control: Uptick employees do not have direct administrative access to production data during normal operations. Access is granted only to specific roles for essential tasks (like onboarding or emergency recovery) and is strictly logged.
• Safe AI: Uptick does not use Customer Data to train third-party foundational models. Employees only use company-sanctioned AI tools that meet our data protection standards.
• Staff Training: All employees undergo mandatory security awareness training during onboarding and annually thereafter.

6. Your Responsibility

Data security is a shared partnership. To maintain the integrity of your account, we recommend:

• Strong Password Standards: We follow NIST guidelines, which prioritize password strength and common-password prevention over frequent rotation.
• Identity Management: We support Single Sign-On (SSO) via your Identity Provider for enhanced security and centralized access control.
• User Audits: You are responsible for managing your users and ensuring that employees are locked out immediately upon leaving your organization.

Additional Resources

• Review our Privacy Policy for information on how we handle personal data.
• Visit our Trust Center for real-time compliance monitoring and security certifications.

‍