Security

Building and maintaining a secure and reliable system is the top priority for Upstream Tech’s engineering team.

This document describes some of the processes and techniques we use to ensure that our customer’s data is protected.

General practices

All Upstream employees are required to enable MFA (multi-factor authentication) for all services used to conduct business, including but not limited to: email, VCS (source control), chat, billing, and cloud providers.
Employees use Single Sign-On or complex, unique, passwords for every service.
Employees are given the least amount of access to customer data possible.
Security and privacy training are regularly provided to the entire company.

All code is reviewed by at least one other engineer.
We run automated tests and scans on every change to ensure quality.
We keep our runtimes and dependencies up to date to ensure we pick up bug and security fixes as soon as they’re available.
We use standard frameworks designed to prevent common attacks, such as the OWASP top 10.

We use Google’s Firebase Authentication platform to authenticate access to our products.
We never store or log any credentials used by Firebase to authenticate access.

System credentials are encrypted in transit and at rest using Google Cloud Platform’s Cloud KMS (Key Management Service). No access to raw key material is given, and usage is audited.
All customer data is encrypted in transit, and at rest, both within our cloud environment, and between Upstream Tech’s infrastructure and our customer’s.
Upstream Tech APIs (used by our web applications, and directly by customers) require the use of HTTPS and TLS.
Customer data is automatically deleted 60 days after termination.

We run a container-based immutable infrastructure. All containers are automatically scanned for vulnerabilities, and issues are addressed quickly.
Our systems run in Google Cloud Platform, which has been independently certified as meeting or exceeding numerous security standards.
We run an automated CSPM (Cloud Security Posture Management) tool to identify risks and misconfiguration in our infrastructure.
Access to all resources in our VPC (Virtual Private Cloud) from the public internet is denied by default.
Dozens of checks run continuously to alert us to issues affecting customers. Our engineering team is automatically paged to ensure the system is stable.

We retain database replication logs for 7 days to enable granular point in time recovery. Full database system backups are performed daily, and restoration is tested periodically.
Objects in blob storage (Google Cloud Storage) are automatically replicated. Older versions of sensitive data are temporarily saved to enable recovery from accidental corruption or deletion.
Uniform public access prevention is applied to buckets with customer data to avoid accidentally leaking data.

Standard operation and debugging procedures for our systems are documented in runbooks.
Our customer support team proactively notifies customers of incidents causing extended impact.
We perform retrospectives for incidents that cause customer impact to improve our system.

While we adhere to many controls present in SOC 2, we have not yet gone through the certification process. We’re careful to limit our attack surface and avoid storing or retaining any sensitive PII. We carefully manage the time and focus of our small team and may consider certification in the future as the need arises.

Please contact team@upstream.tech with further questions about our security practices.