Security Policy

At UpTk LLC, security is a foundational part of our platform design and operations. We follow industry best practices to ensure the confidentiality, integrity, and availability of user data.

1. Infrastructure & Data Hosting

All infrastructure is hosted on Amazon Web Services (AWS) within private VPCs. No databases or services are exposed to the public internet. Only AWS Lambda functions with strict IAM permissions have access to backend resources.

2. Encryption Standards

All traffic is encrypted in transit using TLS 1.2+. Sensitive data such as passwords, tokens, and affiliate credentials are encrypted at rest using AES-256 or equivalent. We use HTTPS everywhere.

3. Authentication & Access Control

All users are authenticated via secure credentials, and sensitive actions require verified email accounts. Internal systems use role-based access control to restrict employee access to production data.

4. Secure Development Practices

All code is version-controlled and peer-reviewed. We apply automated dependency checks and static analysis tooling to prevent vulnerabilities. Secrets are stored in environment variables and not hardcoded.

5. Monitoring & Incident Response

We monitor our systems for anomalies, failed logins, and unauthorized access attempts. If a breach is detected, we initiate an internal incident response plan and notify affected users as required by law.

6. Vendor Security

All third-party services, such as Stripe, MongoDB Atlas, and Userlist, are vetted for SOC 2, ISO 27001, or equivalent compliance. Data shared with vendors is minimized and encrypted during transfer.

7. Responsible Disclosure

If you discover a vulnerability, we encourage you to report it by emailing us at info@uptk.io. We take all reports seriously and aim to resolve issues promptly.

8. Access Control & Least Privilege

Access to systems and personal data is governed by role-based access control and the principle of least privilege. Employees are granted only the permissions required for their duties, and all access is logged and periodically reviewed.

9. Data Classification & Encryption

All user data is classified according to sensitivity and protected accordingly. Sensitive information is encrypted at rest using AES-256 and in-transit via HTTPS (TLS 1.2+). Credentials and API tokens are securely stored and never logged.

10. Incident Response

UpTk maintains a documented incident response policy that defines roles, escalation procedures, and communication channels. Our team monitors for security incidents and is prepared to respond quickly in case of breaches or misuse.

11. Threat & Vulnerability Management

We conduct regular vulnerability scans using industry-standard tools such as OWASP ZAP. Threats are triaged based on severity and remediated on an appropriate timeline. Our build process includes automated security linting and dependency checks.

12. Endpoint Protection & Operational Baseline

Developer and administrator endpoints are protected with up-to-date anti-malware software. Devices are configured with screen lock, disk encryption, and strong password policies. Multi-factor authentication is enforced across admin systems.

13. Personal Data Handling & Privacy

Our internal data protection policies are reviewed regularly and aligned with our published Privacy Policy. We minimize the collection of personal data and limit access based on operational necessity.

Thank you for helping us keep UpTk secure.