Security at UpGuard
At UpGuard, we take security seriously. Security is embedded into UpGuard’s processes, products, and infrastructure. The UpGuard security program is maintained in alignment with ISO/IEC 27001 to systematically identify, assess, and manage information security risks. The program has embedded policies, processes, and tools with clear ownership and accountability to address information confidentiality, integrity, and availability requirements.
Security Certification

UpGuard is committed to securely managing your data. UpGuard is SOC 2, Type II certified, and undergoes certification on an annual basis.

If you’re a current customer you can access our reports via UpGuard’s shared profile.

Security Policies

UpGuard maintains security policies that are reviewed, communicated and approved by management to ensure everyone clearly knows their security responsibilities. UpGuard’s policies are audited annually as part of its SOC 2 certification.

Data Center

The UpGuard SaaS platform runs on the Google Cloud Platform. Google provides an extensive list of compliance and regulatory assurances, including SOC 2 and ISO27001. See Google's compliance and security documents for more detailed information.

Data Security
  • All customer data is encrypted at rest and in transit.
  • Access to the UpGuard configuration and data on Google Cloud Platform is restricted to authorized personnel authenticating with 2FA and over a VPN
Application Security
  • The UpGuard service is developed using OWASP Secure Coding Practices. The Web Application is deployed and executed on Google Cloud Platform Kubernetes containers. The base container images are maintained and scanned for vulnerabilities by Google, and latest secure base images are used in each fortnightly release cycle.
  • All dependencies are scanned for vulnerabilities within the build process and the latest version of UpGuard is tested in a non-production environment.
  • In addition to UpGuard’s extensive testing program, UpGuard conducts application penetration testing by a third-party on an annual basis.
  • UpGuard supports Single sign-on (SSO), allowing customers to authenticate safely with identities and authentication services under their own control.  SSO using the open standards of SAML and OIDC is supported. For more information regarding SSO please click here.
  • Where organizations choose not to use SSO,  user identities and credentials are maintained in Auth0, the industry-leading B2C cloud identity service. UpGuard requires users to have strong passwords.
  • Audit logging capabilities are available with the UpGuard platform depending on the user's subscription and provide visibility of user activities including when the user last logged in. Application and security logs are available to UpGuard engineers and cybersecurity personnel. Our application logs are available for 180 days, and our security logs are available for 400 days. UpGuard monitors logs and has alerts for unusual usage or failures for investigation.
Secure Development Life Cycle (SDLC)

Product development is executed through a documented SDLC process. Design of all new product functionality goes through automated tests and a peer review process prior to release. UpGuard’s development and testing environment is separate from its production environment; no customer data is used in the development/testing process.

Subprocessors

At UpGuard, we use third party service providers to help with a number of services, including analytics, payments, sending transactional emails and for hosting our service. To provide optimal transparency to our customers, we disclose a list of third party services that may have access to your data by using our service here.

Identity and Access Management for Employees

Operating on the principle of least privilege, employees have unique logins for all business critical systems and two-factor authentication is enforced wherever possible.

Hardware Security for Employees

UpGuard enforces Device Management policies that prevent access except on managed devices that are continuously checked for compliance with a security baseline.  All laptops are managed, have encrypted hard drives and are monitored with an endpoint detection and response (EDR) service.

Responsible Disclosure

If you believe you have discovered a vulnerability within UpGuard’s application, please submit a report to us by emailing security@upguard.com. UpGuard does not participate in a bug bounty program at this time, nor do we provide monetary rewards for findings.

If you believe your account has been compromised or you are seeing suspicious activity on your account please report it to: security@upguard.com.

Contact

If you have any additional questions regarding security at UpGuard, please contact us at: security@upguard.com.