Banking-grade security

As a Bafin licensed financial institution, Upvest follows the strictest standards and guidelines on data handling. In addition to state of the art authentication techniques. Upvest does not save the client secret authentication data, which is required to obtain an OAuth token to use the Upvest API, and trigger any actions on behalf of the customer.

Our networks are segregated based on criticality levels, with development and testing environments hosted in an entirely separate Google Cloud Platform (GCP) project from our production environment. All networks are carefully segmented using tightly-defined firewall rules defined on a per-port and protocol level, both externally and internally. The Google Cloud Platform is FIPS 140-2 Level 1 validated, PCI-DSS and SOC 3 compliant, and employs security industry best practice standards including ISO 27001 and ISO27017.

All of our sensitive data is encrypted at rest using AES-256, leveraging either Google Cloud Key Management Service (KMS) or Hardware Security Modules (HSM). Data is always encrypted in transit using a strong AES128/256 TLSv1.2 configuration, both to our API endpoints as well as internally within our environment.

Each client of Upvest has a specific key pair for signing requests and as well as a unique identifier. Upvest does not directly save any private credentials, and therefore cannot access any client credentials. Each request is signed, providing integrity protection. The organisation follows the principle of least privilege as it pertains to internal access to customer data.

All traffic to Upvest services is routed through Cloudflare. We make use of Cloudflare's Web Application Firewall (WAF) to protect Upvest services from many attack types, including:
 
* Malicious scanning and scraper bots
* Injection attacks
* Distributed Denial of Service (DDoS)

We also rate-limit requests to our services to prevent malicious endpoints from adversely affecting performance.

All Upvest employee accounts enforce the use of strong passwords, as well as the use of two-factor authentication (2FA). All employees are issued hardware 2FA keys. Employees with a higher degree of access are required to use a separate YubiKey with GPG for any signing or authentication purposes.

Our agile development team leverages cutting edge DevSecOps processes to ensure the quality and integrity of the code we deliver via our continuous integration (CI) pipeline which performs a number of checks to validate that the quality of the code meets our requirements, identify potential security flaws, and ensure that code deployments are only made by approved senior members of the engineering team.

All actions performed within our environment, including access to sensitive data, are audit logged and monitored for unauthorised activity. Specific actions are only accessible to tightly restricted service accounts, and any unauthorised attempts to access sensitive data, manually or otherwise, will result in a security incident and response.

Encrypted backups are taken daily in order to ensure the recoverability of key customer data in the event of malicious or accidental loss. These backups are spread across geographically redundant zones, significantly reducing the risk of catastrophic loss. All critical systems are subject to continuous testing and service availability and quality monitoring, and our staff are on call to handle any service degradation.

Any customer data used to facilitate required processes, is tightly controlled, audited, and only accessible for a limited time to specific employees. Employee laptops are required to use full disk encryption, and each Upvest employee is provided with a 1Password credential management account to effectively create and manage strong, unique passwords.

All Upvest employees are required to complete IT and Security awareness training to ensure the highest level of vigilance against cyber threats like phishing, or accidental mishandling of sensitive data. The Security team at Upvest regularly runs cyber threat related campaigns to ensure implemented policies are followed.

Upvest runs sophisticated tools of continuous automated vulnerability assessments on our infrastructure, and of our code. Additionally, we are committed to performing external penetration tests conducted by trusted vendors at least yearly. All of this allows Upvest to identify, remediate, and manage vulnerabilities early and efficiently.