Data and security

This policy should be read in conjunction with our Privacy Policy, and describes the data security protocols in place with respect to data stored on or processed as part of our services.

Application Security

Firstup, Inc. and its affiliated entities (“Firstup”) maintain appropriate systems security in accordance with commercially reasonable industry standards and practices designed to protect data and information, including application vulnerability tests and the use of robust customer communications through a web security layer.

• All application access is authenticated, and communication is secured using standard industry practices.
• Systems identity is tied to individual users by the use of credentials and by second-factor authentication where possible.
• Firstup maintains reasonable authentication controls that conform to standard industry practices.

Firstup agrees to ensure that authorized users are only allowed to perform actions within their privilege level—with protected resources based upon role or privilege level—and to prevent privilege escalation attacks.

Firstup follows secure coding practices with developers trained in secure development practices, applications written using a formal process designed to provide evidence that application security vulnerabilities are not present prior to moving into production, with validation by tools such as dynamic application scanning and/or static code analysis.

Password and account management at Firstup follow standard industry practices, including:

• Encrypting passwords using “hashing” and “salting” techniques.
• Enforcing password complexity.
• Limiting failed attempts before account lockout.
• Not allowing clear passwords.
• Not sending password resets with credentials, including log commands, where appropriate.

Vulnerability Disclosure

If you would like to report a vulnerability, please contact security@firstup.io with a proof of concept, list of tools used, and the output of the tools. If you choose to disclose a vulnerability, you are expressly agreeing to our Vulnerability Disclosure requirements.

If a vulnerability disclosure is received, we will work quickly to reproduce each vulnerability to verify its status before taking the steps needed to remedy.

Data Security

Firstup implements the following standard industry practices:

• Data at rest
  • Firstup data is encrypted using standard industry practices such as AES-256.
  • Backups of Firstup data have the same controls as production data.
  • Deletion or scrubbing of data is performed using standard industry practices.
  • Secure management of cryptographic keys based on standard industry practices.
  • Firstup maintains a data classification program based on standard industry practices.
• Data in motion
  • Customer data in transit to or from Firstup will be encrypted (e.g., SFTP, certificate-based authentication).
  • Customer data sent over the browser utilizes TLSv1.2 or better.
  • Secure management of cryptographic keys based on standard industry practices.
• Multi-tenancy
  • Firstup maintains appropriate security controls and cryptographic methods to protect and logically isolate customer data from other tenants.
• Administrative access and environment segregation apply the principle of least privilege; designed to ensure that access is limited to administrators who must see customer data in order to fulfill their job functions, mask confidential data (where possible); and do not replicate customer data to non-production environments.

Threat Management

Firstup maintains an intrusion detection monitoring process at the network and host level to detect unwanted or hostile network traffic. Firstup maintains measures designed to ensure alerting when the system or service detects unusual or malicious activity. Firstup also performs independent, intrusive application penetration tests, at a minimum annually.

Infrastructure Security

Firstup configures our infrastructure to be secure by monitoring and logging all system access to servers to produce an audit trail, which is stored securely to reduce the risk of loss due to tampering.

Firstup complies with standard industry practices, separating perimeter networks from endpoints hosted in the private network using industry-standard firewalls or equivalent measures. Firstup updates its firewall software continuously, on a scheduled basis, following the availability of updates by the software provider.

Firstup tests its perimeter devices continuously on a scheduled basis, and, if deficiencies are discovered, Firstup promptly troubleshoots and remediates security deficiencies discovered as a result of such testing or as a result of logging access attempts, based upon the risk of the deficiency.

In addition to the third-party vulnerability assessments, Firstup implements commercially reasonable processes designed to protect customer data from system vulnerabilities. . These processes include perimeter scanning, internal infrastructure scanning through the use of industry-standard vulnerability scanning solutions, anti-malware scanning, as well as complying with standard industry practices for platform hardening and secure configuration in order to reduce attack scope and surface.

Security Procedures

Firstup has implemented the following practices:

• Incident response: Firstup maintains security incident management policies and procedures, including detailed security incident escalation procedures.
• Patch management: Firstup uses a patch management process and toolset to keep all servers up to date with appropriate security and feature patches.
• Documented remediation process: Firstup uses a documented remediation process designed to timely address all identified threats and vulnerabilities.
• Employee termination procedures: Firstup promptly terminates all credentials and access to privileged password facilities of a Firstup employee in the event of termination of employment.

Governance

Firstup maintains a written information security program that is approved annually by Firstup and published and communicated to all Firstup employees and relevant third parties.

All Firstup employees, contractors, and managers are required to complete relevant training on an annual basis. To the extent permitted by applicable law, Firstup performs background investigations for all applicable employees, contractors, or consultants who have access to confidential information.

Firstup also conducts annual SOC 2 Type 2 and ISO 27001 audits.

Physical Security

Firstup limits access to its facilities to employees and employee-accompanied visitors using commercially reasonable physical security methods.

Firstup maintains a disaster recovery plan for the restoration of critical processes and operations, including a recovery point objective of less than two hours for production data, a recovery time objective of less than two hours for production systems, and, if the Firstup disaster recovery plan is invoked, Firstup shall execute such a plan and restore service availability.