Upserve is committed to the protection and responsible use of information entrusted to us. We fulfill this commitment by encouraging a culture of security and by embedding reasonable security measures in to everything we do.

Recipe for Security

  • Our security measures are regularly tested by qualified internal and external people to ensure our protections are performing as expected
  • We use two-factor authentication and strong passwords to protect access to all sensitive systems and information
  • We log and regularly review access to sensitive systems and information
  • We restrict access to sensitive systems and information to only those team members with a legitimate need for access
  • We are audited by an independent PCI Qualified Security Assessor and confirmed to be compliant with all PCI DSS requirements as a Level 1 PCI Service Provider.
  • We develop software following industry accepted best practices, such as those recommended by Open Web Application Security Project (OWASP).
  • Our security policies, standards, and procedures are documented and regularly reviewed to ensure they remain current with industry accepted best practices

Protecting Sensitive Information

Upserve designs its systems to protect sensitive information.

  • Storage of unencrypted payment card data is not permitted within our systems or on Breadcrumb devices
  • We always encrypt sensitive data and generally encrypt all data (regardless of sensitivity) during transmission
  • All payment card numbers are encrypted with 2048-bit RSA keys
  • The decryption keys are stored separately and access to such keys is highly restricted
  • The infrastructure for accepting, storing, and encrypting payment card numbers is separate from the infrastructure which can decrypt payment card numbers
  • We have installed an industry leading endpoint protection system to detect and prevent attacks on all systems used by team members

Building Access Control

Upserve’s corporate premises maintains a high standard of physical security. Below are the security measures taken to protect the data to which we’re uniquely positioned to have access.

  • 24/7/365 3rd party Security Guard services
  • Exterior keyless entry badge system that govern building entrances
  • Interior security cameras with recorded footage
  • Upserve private floors are also controlled with a keyless badge entry system. This badge entry system centrally audits every entry attempt that is made for access and is managed by a third party security vendor.
  • Security logs can be only be reviewed by Upserve Facilities teams and those facilities personnel with security job duties with the building
  • Guards perform regular patrols throughout Upserve’s facilities and varying intervals.

Secure Data Center Facilities

Upserve has partnered with Amazon Web Services (AWS) as our cloud service provider. AWS is responsible for the physical security of the facilities where we process data and has meet the requirements of several industry standard compliance programs, including ISO 27001, SOC2, and PCI DSS. Upserve periodically reviews these audit reports to ensure AWS is meeting their responsibilities.

Passwords and Access Credentials

When you register for the Service, Upserve requires a password from you for your privacy and security. Upserve transmits information such as your Registration Information for Upserve securely. We maintain strict rules to help prevent others from guessing your password. We also recommend that you change your password periodically. Your password must be at least 6 characters in length. You are responsible for maintaining the security of your Login ID and Password. You may not provide these credentials to any third party. If you believe that they have been stolen or been made known to others, you must contact us immediately at security@upserve.com, but in any event you should change your password immediately via the Service. We are not responsible if someone else accesses your account through Registration Information they have obtained from you or through a violation by you of this Privacy and Security Policy or Upserve’s Terms of Use.

Breadcrumb POS Security

https://upserve.com/platform/restaurant-pos/security/

Privacy

Upserve’s Privacy Policy can be found at /privacy.

Security Research and Vulnerability Disclosure

Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities. If you believe you have discovered a security vulnerability, please report it through our HackerOne program. Upserve rewards the confidential disclosure of any security vulnerability with demonstrable impact to the confidentiality, integrity, or availability of our services.

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of our security research policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms & Conditions, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If you have other security questions or concerns, you should contact your Customer Success Manager, Support, or security@upserve.com.