Security Policy

Effective Date: December 8, 2025

Elucidsoft LLC, a Virginia limited liability company doing business as Upstat ("Upstat," "we," "us," or "our"), is committed to maintaining the security of our systems and protecting our customers. This Security Policy describes our security practices and how to report potential security vulnerabilities.

1.Infrastructure Security
2.Application Security
3.Audits and Compliance
4.Vulnerability Disclosure
5.Legal
6.Contact Information

1. Infrastructure Security

1.1 Hosting and Data Centers

Upstat is hosted on Google Cloud Platform (GCP) in the US-Central region. Google Cloud provides enterprise-grade physical security, including 24/7 monitoring, biometric access controls, and environmental protections.

1.2 Encryption

All data transmitted to and from Upstat is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption. Integration credentials and sensitive configuration data receive additional encryption at the application layer.

1.3 Access Controls

We implement role-based access controls and the principle of least privilege across our infrastructure and internal systems. Administrative access requires multi-factor authentication.

1.4 Monitoring

We continuously monitor our systems for security threats, anomalies, and unauthorized access attempts. Security events are logged and retained for analysis and incident response.

2. Application Security

2.1 Secure Development

Our development practices include code review, automated security testing, and dependency vulnerability scanning. We follow industry-standard secure coding guidelines to prevent common vulnerabilities such as injection attacks, cross-site scripting, and authentication flaws.

2.2 Authentication

Upstat uses Firebase Authentication for secure user authentication, supporting Google single sign-on. Session tokens are securely generated and managed with appropriate expiration policies.

2.3 Data Isolation

Customer data is logically isolated at the application layer. Access controls ensure that users can only access data belonging to their own accounts and projects.

3. Audits and Compliance

Security audits, penetration testing reports, and custom security questionnaires are available exclusively to customers on Enterprise plans. If your organization requires security documentation, vendor risk assessments, or the ability to conduct your own security audits of our systems, please contact us about our Enterprise offerings.

For Enterprise plan inquiries, contact support@upstat.io.

4. Vulnerability Disclosure

We appreciate security researchers who help us identify potential vulnerabilities in our systems. This section describes how to report security issues responsibly.

4.1 Scope

The following systems are in scope for security research:

The Upstat web application at https://app.upstat.io
The Upstat marketing website at https://upstat.io
The Upstat API at https://api.upstat.io

The following are out of scope:

Third-party services and integrations
Customer-hosted status pages on custom domains
Physical security or social engineering
Denial of service attacks
Automated scanner output without manual verification
Missing security headers without demonstrable impact

4.2 How to Report

Report potential vulnerabilities by email to support@upstat.io with the subject line "Security Vulnerability Report". Include a detailed description, steps to reproduce, and any proof-of-concept materials.

4.3 Safe Harbor

Security research conducted in good faith and in accordance with this policy is considered authorized. Good faith research means complying with applicable laws, not accessing or modifying other users' data, ceasing testing upon discovery, and not publicly disclosing vulnerabilities before we have had reasonable time to address them.

4.4 What to Expect

We review all reports we receive but do not provide acknowledgment of receipt, status updates, or resolution notifications. We prioritize remediation based on our assessment of severity and impact.

4.5 Prohibited Activities

The following activities are not authorized:

Denial of service or degradation of services
Accessing or modifying data belonging to other users
Social engineering, phishing, or physical attacks
Public disclosure before remediation
Extortion, demanding payment, or threatening disclosure

Reports accompanied by demands for compensation or threats will be disregarded.

5. Legal

5.1 Governing Law

This Policy shall be governed by and construed in accordance with the laws of the Commonwealth of Virginia, United States, without regard to its conflict of laws principles.

5.2 Modifications

Upstat reserves the right to modify this Policy at any time without prior notice.

5.3 Reservation of Rights

This Policy does not waive any rights or create any obligations beyond what is expressly stated. Upstat reserves all rights not expressly granted herein, including the right to pursue legal action against any party whose actions fall outside the scope of this Policy or violate applicable law.

6. Contact Information

For security-related inquiries, please contact:

Elucidsoft LLC d/b/a Upstat

2769 Jefferson Davis Highway

Suite 111-1054

Stafford, Virginia 22554

United States

Email: support@upstat.io