Companies around the world trust UpGuard with not only access to their critical systems, but with storing metadata about the configuration of those systems. It's a big job, and it's something we take very seriously. Whether you're using our hosted option or on-premises appliance, your data is secure.
UpGuard is subject to the SAQ A categorization of PCI compliance, as we do not store or process any card data. All card processing is handled by Stripe, which has been audited and certified to PCI Service Provider Level 1.
Compromised and abused credentials are the leading entry point for massive fraud. Two factor authentication is the best way to prevent the use of stolen credentials. UpGuard requires two-factor authentication for employees to access their internal accounts and a separate login to access the UpGuard platform. Two-factor authentication is available to all users of UpGuard and is mandatory for employees.
UpGuard's containers are clustered for failover and self-healing regardless of deployment type. All users have access to 9x5 (US Pacific Time) support. Enterprise support can be purchased that includes high availability appliance configuration and 24x7 support with dedicated engineers and a named account manager.
UpGuard deploys on top of containers, providing additional security by omitting unused protocols that expand the attack surface. Containerization also provides complete data segregation, as each customer using hosted UpGuard is supplied a separate database.
For customers who prefer not to use the hosted service, or who are prevented from doing so by regulatory requirements, UpGuard can be deployed on premises as a virtual appliance in OVA or AMI format. The appliance is a "black box"—it contains all the resources required for the UpGuard application to function and just needs you to host it.
We subject ourselves and our vendors to rigorous penetration testing on a regular basis. We employ Bugcrowd's team of professionals to perform deep testing of all of our services and identify potential security holes before they can be exploited, as well as operate a public bug bounty for researchers to report any issues they may find with the platform in a controlled and secure manner.