Data Security & Protection Policy
Effective Date: 10th May 2019
This policy has been prepared to provide a clear understanding of the data storage and security model within the Uptick Platform, covering our generally available products.
The Uptick executive team, management, employees and Uptick contractors alike, have read, acknowledged and agree to abide by this data security and availability policy.
The uptick data security policy defines our approach to securing your data.
2. Your obligations in securing platform data
Communicating over the internet has inherent risks. As you will read below we have put many protocols in place however users should also implement strict security profiles within their organisation including but not limited to anti-virus software if you use the Windows operating system, up-to-date operating systems, and usage of secure evergreen browsers (Mozilla Firefox or Google Chrome).
Generally speaking the greatest data security risk is social, eg unauthorised access to the system provided by a current or former employee of an organisation. The Uptick platform provides strong data security protocols allowing you to minimise data theft and misuse.
To access the Uptick Platform users require a Username and Password. New users are provided access details typically by internal administrative users. Users have the ability to change their password as required. You and your employees are responsible for the security and confidentiality of personal login usernames and passwords.
You are responsible to lockout employees when they leave your business.
Password rotation is NOT encouraged as per the NIST security guidelines. Strong password use IS encouraged, and the strength of the password is displayed on all forms that deal with passwords. A minimum password strength and common password prevention are enforced.
Uptick provides customisable Security Groups allowing you to assign permissions to your users tailored to your organisation. We strongly recommend you invest time in understanding and structuring your user groups to minimise all data security risks.
3. Uptick internal security controls
Uptick has implemented the following internal security protocols.
Physical controls including:
- security log and keypad access into the Uptick building
- security and alarm system enabled with 24/7 monitoring
- company equipment is secured and locked nightly
Technological controls including:
- instituted controls on appropriate password strength required to log into all company equipment
- implementing security logs of access to customer platform access
- using firewall and encryption technologies to protect the gateways and pipelines
- limiting employee access to only the relevant systems required within scope of each employee’s role or responsibility
- limiting and monitoring access to support gateway is through approved Uptickhq.com username and password using industry standard encryption technologies
- electronic logs and controls of platform access
- regulating all employee system controls and access
- logging, monitoring and tracking transmissions in a manner that is commercially reasonable (up to 12 months historical log information)
Process Controls including:
- policy and procedures dictating the access, usage and disclosure of customer information
- manager appointed for security control and auditing
- restrictions of access to server keys and logs
- review and investigations into any reported security issues provided by hosting provider and software providers
- Notification process of any security breaches to customers directly via email and tagged on the Uptick Status Page.
4. Standard Operating Environment for internal machines
Uptick staff operate from a Standard Operating Environment, either Mac OS or specific approved versions of Linux. Both operating systems are configured to receive automatic updates. Uptick staff primarily use Macbook or Macbook Pro’s with at-rest encryption, ensuring that a stolen Macbook cannot be used to access Uptick’s system or access any customer data that may have been temporarily stored on a machine. Uptick does not allow staff to use anti-virus, as research increasingly points to third party anti-virus as an increasingly attractive threat vector given it’s access to the core system.
5. Data hosting security
Uptick invest in technological, physical and procedural processes to protect the security of our customers data. Uptick have invested heavily with Amazon Web Services (AWS) since inception due to security and scalability of the AWS System.
Amazon are one of the global leaders in hosting technology, used by many of the leading banks, governments, corporations and internet sites globally. They lead the market in security of hosting environment starting with physical security controls which include 24/7/365 monitoring and surveillance, on-site security staff and regular ongoing security audits.
Amazon resources (specifically EC2 and RDS) are configured for automatic rolling upgrades, and security patching is handled by the AWS security team. We use kubernetes and containers to serve customer requests. These containers are immutable and thus provide a low surface area for traditional hacking operations.
Uptick host within the AWS S3, EC2, and ECS environments. This S3 environment supports security standards and compliance certifications including PCI-DSS, HIPAA/HITECH, FedRAMP, SEC Rule 17-a-4, EU Data Protection Directive, and FISMA, helping satisfy compliance requirements for virtually every regulatory agency around the globe.
Should you require Information Security Registered Assessors Program (IRAP) for hosting of Australian Government data as stipulated in some tenders this can be provided at additional cost.
Amazon EBS encryption offers an advanced encryption solution restricting who can access the storage environment. All data encrypted at rest uses an AES-256, block-level storage encryption. Keys are managed by Amazon, the individual volume keys are stable for the lifetime of the volume. This security forces HTTPS for all traffic, SSL keys by LetsEncrypt rotated every 90 days. For full details of the security environment instituted by AWS please view the white paper.
Uptick institute tight controls internally as who has access into the AWS environment, limited to those members of the team involved in devops.
Uptick provides all customers with a “highly available” service with all key components of the infrastructure hosted across multiple Australian data centers, including the load balancers, database servers, caching servers, data storage, and background processing servers. For scheduled downtime this allows Uptick to provide rolling upgrades each month with less than a minute of downtime. Unscheduled downtime can occur, but Uptick can provide an SLA guaranteeing an uptime of 99.5%.
All data storage is encrypted at rest and stored in a highly durable environment, providing a 99.999999999% durability (11 nines).
7. Location of hosted data
Uptick host exclusively within AWS’ Asia Pacific Sydney data centre. All backups and redundancy processes also remain located within Australia in a secondary data centre also located within Sydney.
Using the Uptick Platform you are guaranteed your primary data resides exclusively within Australia.
However, as is common with modern software Uptick utilises some third parties for ancillary software. Of these, Cloudinary are used to cache images for the Uptick Mobile application. This service is used for speed and access of images irrespective of where the user (typically Uptick App user) is located.
8. Access to your data and backups
Uptick provides for downloading of static data from the Uptick system in a csv table format for most types of data on the system.
Transactional and historical data can be accessed via database backups only. Being a cloud based system Uptick automatically generates to-the-minute backups. These are typically a straight 24 hour rolling window, however the period can be increased per your dedicated hosting agreement.
Uptick take rolling database backups with a 30 day rollback period, and twice daily backups which run at 1pm and 6pm AEST. These backups are available for 60 days. Backups are in an SQL table format.
Upon request Uptick may, for a fee, download the backups from AWS and can then copy the downloaded backups to a hard drive or upload to an FTP server.
9. SLA of the platform
Read our standard SLA Policy for the specific details of your SLA and remedy available to you, please refer to your customised SLA agreement. The SLA must be purchased separately in addition to the dedicated hosting option.
10. Updates to policy
Uptick reserve the right to change this Policy at any time. Any changes will become effective immediately upon publishing to the Uptickhq.com website. We will communicate all changes through the Uptick Blog and release notes (indicated by the rotating star) provided within the platform to all users, excluding end-customer portal logins.
Policy last updated: May 2019
11. If you have a request or complaint
To protect your data and the privacy of your users, we will need evidence of your identity before we can grant access to information or change settings for you.
We undertake to respond to complaints and requests within 5 working days and resolve it within 10 working days. If the request or complaint will take longer to resolve, we will provide you with a date by which we expect to respond.
12. Contact us
Should any items not be addressed in the above statement, please email email@example.com with any privacy concerns.