Solutions Developers About Us Newsroom Careers

Solutions

Developers

About us

Newsroom

Careers

We are hiring!

Get started with Upvest Explore API

Banking grade security

Security is at the heart of everything we do. We want you to understand how we process your information and ensure its safety, so this page outlines some of the steps we take to secure Upvest and our platform.

How we protect your data:

01.

Data Security

As a BaFin licensed financial institution, Upvest follows the strictest standards and guidelines on data handling. In addition to state of the art authentication techniques. Upvest does not save the client secret authentication data, which is required to obtain an OAuth token to use the Upvest API, and trigger any actions on behalf of the customer.

02.

Secure Network Architecture

Our networks are segregated based on criticality levels, with development and testing environments hosted in an entirely separate Google Cloud Platform (GCP) project from our production environment. All networks are carefully segmented using tightly-defined firewall rules defined on a per-port and protocol level, both externally and internally. The Google Cloud Platform is FIPS 140-2 Level 1 validated, PCI-DSS and SOC 3 compliant, and employs security industry best practice standards including ISO 27001 and ISO27017.

03.

Secure Data Encryption

All of our sensitive data is encrypted at rest using AES-256, leveraging either Google Cloud Key Management Service (KMS) or Hardware Security Modules (HSM). Data is always encrypted in transit using a strong AES128/256 TLSv1.2 configuration, both to our API endpoints as well as internally within our environment.

04.

Access Control

Each client of Upvest has a specific key pair for signing requests and as well as a unique identifier. Upvest does not directly save any private credentials, and therefore cannot access any client credentials. Each request is signed, providing integrity protection. The organisation follows the principle of least privilege as it pertains to internal access to customer data.

05.

Web Application Firewall

All traffic to Upvest services is routed through Cloudflare. We make use of Cloudflare's Web Application Firewall (WAF) to protect Upvest services from many attack types, including:

* Malicious scanning and scraper bots
* Injection attacks
* Distributed Denial of Service (DDoS)

We also rate-limit requests to our services to prevent malicious endpoints from adversely affecting performance.

How we secure ourselves:

01.

Two Factor Authentication

All Upvest employee accounts enforce the use of strong passwords, as well as the use of two-factor authentication (2FA). All employees are issued hardware 2FA keys. Employees with a higher degree of access are required to use a separate YubiKey with GPG for any signing or authentication purposes.

02.

Advanced DevSecOps

Our agile development team leverages cutting edge DevSecOps processes to ensure the quality and integrity of the code we deliver via our continuous integration (CI) pipeline which performs a number of checks to validate that the quality of the code meets our requirements, identify potential security flaws, and ensure that code deployments are only made by approved senior members of the engineering team.

03.

Logging and Monitoring

All actions performed within our environment, including access to sensitive data, are audit logged and monitored for unauthorised activity. Specific actions are only accessible to tightly restricted service accounts, and any unauthorised attempts to access sensitive data, manually or otherwise, will result in a security incident and response.

04.

Service Resilience

Encrypted backups are taken daily in order to ensure the recoverability of key customer data in the event of malicious or accidental loss. These backups are spread across geographically redundant zones, significantly reducing the risk of catastrophic loss. All critical systems are subject to continuous testing and service availability and quality monitoring, and our staff are on call to handle any service degradation.

05.

Employee Security Policies

Any customer data used to facilitate required processes, is tightly controlled, audited, and only accessible for a limited time to specific employees. Employee laptops are required to use full disk encryption, and each Upvest employee is provided with a 1Password credential management account to effectively create and manage strong, unique passwords.

06.

IT and Security Awareness Training

All Upvest employees are required to complete IT and Security awareness training to ensure the highest level of vigilance against cyber threats like phishing, or accidental mishandling of sensitive data. The Security team at Upvest regularly runs cyber threat related campaigns to ensure implemented policies are followed.

07.

Continuous Security Assessments

Upvest runs sophisticated tools of continuous automated vulnerability assessments on our infrastructure, and of our code. Additionally, we are committed to performing external penetration tests conducted by trusted vendors at least yearly. All of this allows Upvest to identify, remediate, and manage vulnerabilities early and efficiently.

Vulnerability Disclosure.

Upvest values security extremely highly and welcomes notification of any potential issues found in our platform in order to further strengthen our security. All vulnerability report submissions are read within hours of receipt, and we aim to respond to all submissions within 48 hours.

How we protect your privacy

Upvest is committed to protecting your personal information and ensuring that you are in control of your data. We adhere to the EU's General Data Protection Regulation (GDPR), which creates a framework for protecting personal data based on individual consent. Our platform stores very little personal information, and we anonymise information where possible.

We'd love to hear what you are building.

Get started with Upvest

Upvest GmbH is supported by the Pro FIT-Program of Investitionsbank Berlin with the goal to research and develop a prediction tool for blockchain transaction fees. This project was co-financed by the European Fund for Regional Development (EFRE).

Solutions Developers About us Newsroom

Careers Contact us Security

Imprint

Complaints Policy