Upserve is committed to the protection and responsible use of information entrusted to us. We fulfill this commitment by encouraging a culture of security and by embedding reasonable security measures in to everything we do.
Recipe for Security
- Our security measures are regularly tested by qualified internal and external people to ensure our protections are performing as expected
- We use two-factor authentication and strong passwords to protect access to all sensitive systems and information
- We log and regularly review access to sensitive systems and information
- We restrict access to sensitive systems and information to only those team members with a legitimate need for access
- We are audited by an independent PCI Qualified Security Assessor and confirmed to be compliant with all PCI DSS requirements as a Level 1 PCI Service Provider.
- We develop software following industry accepted best practices, such as those recommended by Open Web Application Security Project (OWASP).
- Our security policies, standards, and procedures are documented and regularly reviewed to ensure they remain current with industry accepted best practices
Protecting Sensitive Information
Upserve designs its systems to protect sensitive information.
- Storage of unencrypted payment card data is not permitted within our systems or on Breadcrumb devices
- We always encrypt sensitive data and generally encrypt all data (regardless of sensitivity) during transmission
- All payment card numbers are encrypted with 2048-bit RSA keys
- The decryption keys are stored separately and access to such keys is highly restricted
- The infrastructure for accepting, storing, and encrypting payment card numbers is separate from the infrastructure which can decrypt payment card numbers
- We have installed an industry leading endpoint protection system to detect and prevent attacks on all systems used by team members
Building Access Control
Upserve’s corporate premises maintains a high standard of physical security. Below are the security measures taken to protect the data to which we’re uniquely positioned to have access.
- 24/7/365 3rd party Security Guard services
- Exterior keyless entry badge system that govern building entrances
- Interior security cameras with recorded footage
- Upserve private floors are also controlled with a keyless badge entry system. This badge entry system centrally audits every entry attempt that is made for access and is managed by a third party security vendor.
- Security logs can be only be reviewed by Upserve Facilities teams and those facilities personnel with security job duties with the building
- Guards perform regular patrols throughout Upserve’s facilities and varying intervals.
Secure Data Center Facilities
Upserve has partnered with Amazon Web Services (AWS) as our cloud service provider. AWS is responsible for the physical security of the facilities where we process data and has meet the requirements of several industry standard compliance programs, including ISO 27001, SOC2, and PCI DSS. Upserve periodically reviews these audit reports to ensure AWS is meeting their responsibilities.
Passwords and Access Credentials
Breadcrumb POS Security
Security Research and Vulnerability Disclosure
Upserve is committed to protecting the privacy and security of our users. We recognize the valuable role security researchers play in making our services more secure and are committed to working with you to verify and resolve legitimate security vulnerabilities. If you believe you have discovered a security vulnerability, please report it through our HackerOne program. Upserve rewards the confidential disclosure of any security vulnerability with demonstrable impact to the confidentiality, integrity, or availability of our services.
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of our security research policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. To the extent your activities are inconsistent with certain restrictions in our Terms & Conditions, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.