Security Trust Center
Security
At Upwind, we manage security with a layered approach that reflects our Software as a Service (SaaS) framework. We have created a shared responsibility model that outlines the controls we've inherited from our cloud service providers (CSPs) and the security responsibility Upwind has to our customers.
Platform and Network Security
The foundation of security at Upwind is infrastructure security. Upwind depends on our Virtual Private Cloud (VPC) which involves the logical isolation of our internal networks. We manage security groups with configured inbound and outbound rules to restrict and limit network access.
Availability
We build highly available products that service various monitoring and observability needs for our customers through scalability inherited from our CSP. Upwind provides 99.9% uptime commitment for the Core Service as well as some priority support features to its Enterprise Plan (and above) customers, who are currently on their payment obligations, as further indicated in our Service Level Agreement .
Personnel Security
At Upwind, all employees participate in helping secure our customer data and company assets. Where applicable by law, Upwind performs background screenings on personnel prior to joining the organization. All Upwind personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles. Our security training materials are based on individual roles to ensure employees have the tools to handle the specific security-oriented challenges they encounter in their jobs.
Product Security
Product security is of great importance at Upwind. We incorporate security into the design of our products from the first stages of our software development lifecycle. We develop products in line with general Agile methodologies and integrate security throughout the Agile release cycle. This allows us to discover vulnerabilities sooner, so we can address them more rapidly than we would if we used longer release cycles. Well-defined change management policies and procedures determine when and how changes occur. This philosophy is central to DevOps security and the development methodologies that have driven Upwind adoption. You can find more information through our Trust Platform.
Patch Management
Upwind releases software patches as part of our continuous integration process. We strive to ensure patches that can impact end users are applied as soon as possible and within our established service level agreements (SLA) by sending end user notifications and scheduling service windows.
Physical Security
As a SaaS provider, Upwind production infrastructure is hosted in cloud service provider (CSP) environments. These CSPs manage physical and environmental security controls for Upwind production servers, including buildings, locks, and door keys.
Physical security practices at the Upwind offices include strict enforcement of badge access to enter the building, as well as to access Upwind floors and secure work areas. All visitors are required to provide identification to receive a visitor's badge and are to be escorted by a Upwind employee at all times. All entries and exits are monitored by security cameras.
Data Security
Access Management
Upwind grants access to assets and sensitive information on a need-to-know basis based on role. Access is controlled based on the principle of least privilege, meaning users have only the level of access required to perform their job functions. Additionally, we enforce multi-factor authentication, which includes strong passwords and a secondary factor. Upwind third parties do not have direct access to production systems.
Upwind has implemented multiple layers of access controls for administrative roles and privileges. As with regular user accounts, we also enforce the principles of least privilege and need-to-know for access to customer data for administrative accounts.
We monitor and log access to all production environments for security purposes. Additionally, access is audited and baselined to meet our security and compliance requirements.
Protection of Customer Data
Data submitted to the Upwind service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer data is not authorized to exit the Upwind production service environment except in limited circumstances such as to support a customer request. Upwind also provides a Sensitive Data Scanner Customers can use to scrub PII and sensitive data sent to the Upwind application.
All data transmitted between Upwind and our users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted, the Upwind application is inaccessible.
Upwind has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms, and we enforce full-disk encryption and unique credentials for workstations.
Privacy Policy
At Upwind, we respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, and disclose your personal information when you visit our website at upwind.io (Site) and interact with us.
Monitoring
Upwind monitors critical infrastructure for security-related events by using a custom implementation of open source and commercial technologies. Activity data such as API calls and operating system-level calls are logged to a central point, where the information is passed through a series of custom rules designed to identify malicious or unapproved behavior. The results of these rules are fed into an orchestration platform that triggers automated actions, which may include directly alerting the security team or prompting additional authentication requirements.
Certifications, Attestations and Frameworks
Upwind maintains active SOC 2 Type II compliance.
Laws and Regulations
Upwind's solution is compliant with various data protection laws and regulations applicable to the services we provide.
GDPR
Upwind is compliant with the General Data Protection Regulation (GDPR) which went into effect on May 25, 2018. Upwind has worked to enhance its products, processes, and procedures to meet its obligations as a data processor.
Vendor Management
Upwind leverages a number of third party applications and services in support of the delivery of our products to our customers. The Upwind Security Team recognizes that the company's information assets and vendor dependencies are critical to our continuing operations and delivery of services. As such, Upwind's Security and Privacy teams have established a vendor management program that sets forth the requirements to be established and agreed upon when Upwind engages with third parties or external vendors. These engagements are designed to assess the technical, physical, and administrative controls in place and to ensure they are commensurate with the expectations of Upwind and its customers.
Additional information about our third-party software and services is available on our Third Party Terms page.
Report An Issue
If you believe you've discovered a bug in Upwind's security, please get in touch at security@upwind.io and we will get back to you within 24 hours. We request that you not publicly disclose the issue until we have had a chance to address it.