Trust Center
Security & Trust
Upstone LLC is committed to protecting customer data and operating its products with discipline. This page summarises the controls, processes, and commitments that govern our infrastructure and software delivery.
1. Data protection
All customer data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256. Database backups are encrypted with the same standard and stored in geographically separated regions. Access to production data is restricted by role and reviewed quarterly.
2. Hosting and infrastructure
Our products are hosted on hardened cloud infrastructure with redundant networking, automated failover, and continuous monitoring. Production systems are isolated from development and staging environments with strict network policies.
3. Authentication and access control
Customer-facing accounts support password hashing with industry-standard algorithms (bcrypt/argon2) and optional two-factor authentication. Internal administrative access is gated by hardware-backed 2FA and audit-logged.
4. GDPR and privacy
Upstone LLC processes personal data in compliance with the EU General Data Protection Regulation (GDPR) and equivalent frameworks. We act as data processor on behalf of our enterprise customers under a signed Data Processing Agreement. Customers may request export or deletion of their personal data at any time by writing to privacy@upstone.io.
5. Payments and PCI
All payment processing is handled exclusively by Stripe (a PCI-DSS Level 1 certified provider). Upstone LLC never stores raw card numbers or CVV codes on its own infrastructure.
6. Subprocessors
We rely on a small number of trusted third-party subprocessors for hosting, email delivery, analytics, and payments. The current list and their data-handling roles are available on request to customers under a Data Processing Agreement.
7. Business continuity
Critical services are backed up on a daily basis with point-in-time recovery available for transactional databases. Recovery procedures are tested periodically and disaster recovery objectives are defined per product.
8. Vulnerability disclosure
We welcome responsible disclosure from the security community. If you believe you have found a security vulnerability in one of our products or services, please email security@upstone.io. We aim to acknowledge reports within 5 business days.
9. Compliance roadmap
Our compliance program is actively maturing. We track readiness against SOC 2 Type II and ISO 27001 frameworks and prioritise controls based on customer demand and regulatory exposure.
Need our security questionnaire response?
Enterprise customers and procurement teams can request our standard security questionnaire, Data Processing Agreement, and subprocessor list by writing to security@upstone.io.