Skip to content

    SECURITY AND PRIVACY

    Security and privacy at Uplift.

    How we handle your data, your access, and your trust. Built for buyers who can't afford surprises.

    Certifications and audits.

    SOC 2 Type II

    Audit currently in progress with an independent assessor. SOC 2 Type I report is available on request under NDA.

    ISO 27001

    Certified annually against the international standard for information security management. Covers people, process, and platform controls.

    GDPR-aligned

    EU data residency available by default. DPA, SCCs, and Article 28 processor terms ready to sign. Subject access requests honored within 30 days.

    Where your data lives.

    Uplift runs on AWS in EU and US regions. You choose where your tenant data is stored at signup. We do not move data across regions without your explicit consent. Backups stay in the same geography as your primary region.

    Primary region
    AWS eu-west-1 or us-east-1 (you choose)
    Backup region
    Same-geography pair, encrypted at rest
    Data sovereignty
    No cross-region transfer without your written consent
    Encryption
    AES-256 at rest, TLS 1.3 in transit

    What Uplift can and cannot see.

    What Uplift sees

    • Routine descriptions you share with us
    • Integration configurations and connection metadata
    • Agent execution logs (for debugging and reliability)
    • Aggregated usage metrics (run counts, error rates)

    What Uplift cannot see

    • The contents of your CRM records
    • Email body data passing through agents
    • Customer PII processed inside your tenant
    • Anything encrypted with your tenant keys at rest or in transit

    Zero-knowledge architecture means we cannot read what your agents process. Only you can.

    Access controls.

    • SSO via Google Workspace, Microsoft 365, and Okta
    • SCIM provisioning for enterprise plans
    • Role-based permissions: Admin, Builder, Viewer
    • Audit log of every access and action - 90-day retention on Pro, unlimited on Enterprise
    • One-click revoke for any agent or integration

    Incident response.

    1. Step 01

      We monitor 24/7.

      Production runtime is observed for anomalies, breaches, and availability. On-call rotation covers every hour of every day.

    2. Step 02

      We notify within 72 hours.

      Per GDPR Article 33, any qualifying incident triggers a customer notification within 72 hours of detection - with what we know, what we don't, and what we're doing.

    3. Step 03

      We post-mortem in writing.

      After resolution, we share a redacted post-mortem with affected customers so they know what happened, what changed, and what we'll do differently.

    Subprocessors.

    SubprocessorPurposeRegionUpdated
    AWSHosting and storageEU / US2026-05
    StripePayment processingUS2026-05
    ResendTransactional emailEU2026-05
    ContentfulContent managementEU2026-05
    PostHogProduct analyticsEU2026-05

    We notify customers 30 days before adding any new subprocessor.

    Report a vulnerability.

    Found a security issue?

    Email security@getuplift.ai. We acknowledge within 24 hours and credit responsible disclosure.

    Have a security questionnaire?

    Send it to security@getuplift.ai - we keep a pre-filled standard ready (SIG, CAIQ, custom).

    Want to bring this to your security team?

    Apply for access and we'll send the full security pack within 48 hours.

    Request the security pack