Security Trust Center

Security

At Upwind, we manage security with a layered approach that reflects our Software as a Service (SaaS) framework. We have created a shared responsibility model that outlines the controls we’ve inherited from our cloud service providers (CSPs) and the security responsibility Upwind has to our customers.

Platform and Network Security

The foundation of security at Upwind is infrastructure security. Upwind depends on our Virtual Private Cloud (VPC) which involves the logical isolation of our internal networks. We manage security groups with configured inbound and outbound rules to restrict and limit network access.

Availability

We build highly available products that service various monitoring and observability needs for our customers through scalability inherited from our CSP. Upwind provides 99.9% uptime commitment for the Core Service as well as some priority support features to its Enterprise Plan (and above) customers, who are currently on their payment obligations, as further indicated in this Service Level Agreement (“Service Level Agreement” or “SLA”). Full details can be found here: https://www.upwind.io/service-level-agreement.

Personnel Security

At Upwind, all employees participate in helping secure our customer data and company assets. Where applicable by law, Upwind performs background screenings on personnel prior to joining the organization. All Upwind personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles. Our security training materials are based on individual roles to ensure employees have the tools to handle the specific security-oriented challenges they encounter in their jobs.

Product Security

Product security is of great importance at Upwind. We incorporate security into the design of our products from the first stages of our software development lifecycle. We develop products in line with general Agile methodologies and integrate security throughout the Agile release cycle. This allows us to discover vulnerabilities sooner, so we can address them more rapidly than we would if we used longer release cycles. Well-defined change management policies and procedures determine when and how changes occur. This philosophy is central to DevOps security and the development methodologies that have driven Upwind adoption. You can find more information through our Trust Platform.

Patch Management

Upwind releases software patches as part of our continuous integration process. We strive to ensure patches that can impact end users are applied as soon as possible and within our established service level agreements (SLA) by sending end user notifications and scheduling service windows.

Physical Security

As a SaaS provider, Upwind production infrastructure is hosted in cloud service provider (CSP) environments. These CSPs manage physical and environmental security controls for Upwind production servers, including buildings, locks, and door keys.

Physical security practices at the Upwind offices include strict enforcement of badge access to enter the building, as well as to access Upwind floors and secure work areas. All visitors are required to provide identification to receive a visitor’s badge and are to be escorted by a Upwind employee at all times. All entries and exits are monitored by security cameras.

Data Security

Access Management

Upwind grants access to assets and sensitive information on a need-to-know basis based on role. Access is controlled based on the principle of least privilege, meaning users have only the level of access required to perform their job functions. Additionally, we enforce multi-factor authentication, which includes strong passwords and a secondary factor. Upwind third parties do not have direct access to production systems.

Upwind has implemented multiple layers of access controls for administrative roles and privileges. As with regular user accounts, we also enforce the principles of least privilege and need-to-know for access to customer data for administrative accounts.

We monitor and log access to all production environments for security purposes. Additionally, access is audited and baselined to meet our security and compliance requirements.

Protection of Customer Data

Data submitted to the Upwind service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer data is not authorized to exit the Upwind production service environment except in limited circumstances such as to support a customer request. Upwind also provides a Sensitive Data Scanner Customers can use to scrub PII and sensitive data sent to the Upwind application.

All data transmitted between Upwind and our users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted, the Upwind application is inaccessible.

Upwind has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms, and we enforce full-disk encryption and unique credentials for workstations.

Privacy Policy

At Upwind, we respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, and disclose your personal information when you visit our website at upwind.io (“Site”) and interact with us. Additional information about our Privacy Policy is available at: https://www.upwind.io/privacy-policy

Monitoring

Upwind monitors critical infrastructure for security-related events by using a custom implementation of open source and commercial technologies. Activity data such as API calls and operating system-level calls are logged to a central point, where the information is passed through a series of custom rules designed to identify malicious or unapproved behavior. The results of these rules are fed into an orchestration platform that triggers automated actions, which may include directly alerting the security team or prompting additional authentication requirements.

Certifications, Attestations and Frameworks

Upwind maintains active SOC 2 Type II compliance.

Laws and Regulations

Upwind’s solution is compliant with various data protection laws and regulations applicable to the services we provide.

Upwind is compliant with the General Data Protection Regulation (GDPR) which went into effect on May 25, 2018. Upwind has worked to enhance its products, processes, and procedures to meet its obligations as a data processor.

Vendor Management

Upwind leverages a number of third party applications and services in support of the delivery of our products to our customers. The Upwind Security Team recognizes that the company’s information assets and vendor dependencies are critical to our continuing operations and delivery of services. As such, Upwind’s Security and Privacy teams have established a vendor management program that sets forth the requirements to be established and agreed upon when Upwind engages with third parties or external vendors. These engagements are designed to assess the technical, physical, and administrative controls in place and to ensure they are commensurate with the expectations of Upwind and its customers.

Additional information about our Privacy Policy is available at Third Party Software and Services

Report An Issue

If you believe you’ve discovered a bug in Upwind’s security, please get in touch at security@upwind.io and we will get back to you within 24 hours. We request that you not publicly disclose the issue until we have had a chance to address it.

Security Trust Center

Security​

Platform and Network Security​

Availability​

Personnel Security​

Product Security​

Patch Management​

Physical Security​

Data Security​

Access Management​

Protection of Customer Data​

Privacy Policy​

Monitoring​

Certifications, Attestations and Frameworks​

Laws and Regulations​

GDPR​

Vendor Management​

Report An Issue​