Banking grade security

Security is at the heart of everything we do. We want you to understand how we process your information and ensure its safety, so this page outlines some of the steps we take to secure Upvest and our platform.

Illustration for Upvest banking grade security

How We Protect Your Data

Tick icon for Upvest security features

Restricted Wallet Handling

The Upvest Enclave is a highly restricted purpose-built bare kernel environment for the handling of sensitive operations. It is not possible for transactions to take place without the involvement of the user and their authentication credentials, which are securely passed through to this restricted environment. No other Upvest system has the necessary pieces to perform valid operations on the encrypted wallet material, and once the requested operation has been carried out, any decrypted wallet or key material is securely destroyed.

Tick icon for Upvest security features

Secure Network Architecture

Our networks are segregated based on criticality levels, with development and testing environments hosted in an entirely separate Google Cloud Platform (GCP) project from our production environment. All networks are carefully segmented using tightly-defined firewall rules defined on a per-port and protocol level, both externally and internally. The Google Cloud Platform is FIPS 140-2 Level 1 validated, PCI-DSS and SOC 3 compliant, and employs security industry best practice standards including ISO 27001 and ISO27017.

Tick icon for Upvest security features

Secure Data Encryption

All of our sensitive data is encrypted at rest using AES-256, and we employ Hardware Security Modules (HSM) in the encryption of all user wallets. Data is always encrypted in transit using a strong AES128/256 TLSv1.2 configuration, both to our API endpoints as well as internally within our environment.

Tick icon for Upvest security features

Authentication and Access Control

Authentication credentials are securely salted and hashed using scrypt (with a high iteration), and all API calls are authenticated and integrity protected using per-request HMACs. Access control is enforced on the principle of least privilege, both externally and internally.

Tick icon for Upvest security features

Web Application Firewall

All traffic to Upvest services is routed through Cloudflare. We make use of Cloudflare's Web Application Firewall (WAF) to protect Upvest services from many attack types, including:
• Malicious scanning and scraper bots
• Injection attacks
• Distributed Denial of Service (DDoS)
We also rate-limit requests to our services to prevent malicious endpoints from adversely affecting performance.

How We Secure Ourselves

Tick icon for Upvest security features

Two Factor Authentication

All Upvest employee accounts enforce the use of strong passwords, as well as the use of two-factor authentication (2FA). Employees with a higher degree of access are required to use a separate YubiKey for authentication purposes. We also enforce the use of 2FA for any of our customers who use our production blockchain environment.

Tick icon for Upvest security features

Advanced DevSecOps

Our agile development team leverages cutting edge DevSecOps processes to ensure the quality and integrity of the code we deliver: All code commits must be digitally signed by developers, and our continuous integration (CI) pipeline performs a number of checks to validate that the quality of the code meets our requirements, identify potential security flaws, and ensure that code deployments are only made by approved senior members of the engineering team.

Tick icon for Upvest security features

Logging and Monitoring

All actions performed within our environment, including access to sensitive data, are audit logged and monitored for unauthorised activity. Specific actions are only accessible to tightly restricted service accounts, and any unauthorised attempts to access sensitive data, manually or otherwise, will immediately raise a security incident.

Tick icon for Upvest security features

Service Resilience

Encrypted backups are taken daily in order to ensure the recoverability of key customer data in the event of malicious or accidental loss. These backups are spread across geographically redundant zones, significantly reducing the risk of catastrophic loss. All critical systems are subject to continuous testing and service availability and quality monitoring, and our staff are on call to handle any service degradation.

Tick icon for Upvest security features

Employee Security Policies

No wallet customer data, encrypted or otherwise, resides on Upvest employee laptops. These are nonetheless required to be subject to full disk encryption, with strong passwords. Each Upvest employee is provided with a 1Password credential management account to effectively create and manage strong, unique passwords.

How We Protect Your Privacy

Upvest is committed to protecting your personal information and ensuring that you are in control of your data. We adhere to the EU's General Data Protection Regulation (GDPR), which creates a framework for protecting personal data based on individual consent. Our platform stores very little personal information, and we anonymise information where possible.

Illustration for Upvest privacy policy
Illustration for Upvest vulnerability disclosure

Vulnerability Disclosure

Upvest values security extremely highly and welcomes notification of any potential issues found in our platform in order to further strengthen our security. All vulnerability report submissions are read within hours of receipt, and we aim to respond to all submissions within 48 hours.

Ready to get started?

Get in touch with our team, or check out our developer sandbox.