Security At Ucentric
At Ucentric, we take the security and privacy of our customers and our customer's users extremely serious.
Below you'll find information about how we build and maintain secure systems. For information about privacy, view our Privacy Page.
Application Security Features
We value the privacy and security of our users so we've built various features right into our product to make your experience with Ucentric more secure. Visit our Knowledge Base to learn how to take advantage of these features in your Ucentric account.
- Role Based Access Controls
Following the rule of least privilege, we give your account members access to only the things they need. Permissions can be set to allow read only access to data.
- Multi-Factor Authentication
Users authenticating with username and password can optionally set up another authentication factor by using TTOP. Alternatively, users can authenticate through a federated provider like Google.
- Session Control & Session Logging
Every session is logged and viewable by the end user in the account's session history. Details like IP address, location and User Agent help you to spot suspicious behavior. Active sessions can be revoked - immediately logging out devices.
- Password Restrictions
Ucentric follows industry best practices, requiring users to have a password which contains at least one number and symbol.
- Signature Validation
Ucentric uses optional signature validation to control access to your content and to verify webhook messages. By creating a token using your API key and secret, you can limit access to your content to only users who are authenticated by your system and possess the token you've created. A similar practice can be followed for webhooks to verify that the webhook was actually sent by Ucentric and not another party.
- 0 Downtime API Key Rotation
Ucentric supports creation of multiple API keys, allowing you to rotate credentials without any effect on your application.
- Origin Allowlist
Mark specific origins as allowed to load client-side code from your account. This prevents others from loading your Ucentric content without your permission.
- Encryption In Transit
All Ucentric applications use HTTPS exclusively. Insecure connections are automatically routed to secure connections.
Engineering Security Practices
Our engineering practices include high coding standards and a variety of processes desgined to guard against attempted security breaches.
- Internal R&D Processes
Ucentric utilizies high quality development processes and coding standards to ensure that adhere to the best security practices.
Our engineers regularly particpate in security awareness training and secure applications training.
Immutable infrastructure - We don’t make changes to live code or running servers in production. Where applicable, we use Terraform, Docker and other tools to treat infrastructure as code.
We are using continuous integration and deployment automation.
- Instance and Network Security
Ucentric utilizes enryption at rest for databases, as well as automated backups. Every Ucentric service runs inside a well-defined Docker container that allows specific levels of access. Our network is segmented using security groups, VPCs, and ACLs in Amazon Web Services.
- Physical Data Center Security
Ucentric runs on Amazon Web Services and as a result, inherits the control environment which AWS maintains and demonstrates via SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Data centers are secured and monitored 24/7, and physical access to AWS is limited to AWS staff.
All data centers are location in the United States.
- Access Management
All traffic to Ucentric services occurs over a secure TLS connection.
We host our systems with Amazon Web Services. We use strong, unique passwords and multi-factor authentication (when available) for all of these services, and limit access to only Ucentric staff and systems which have a legitimate need.
Access to customer data by Ucentric employees is limited to an as-needed basis (e.g., to resolve customer issues).
- Data Confidentiality and Retention
We store backups of selections of our data in the cloud, and our maximum retention period for backups is 90 days.
When requested, we will destroy a user’s account, removing all customer data associated with that account.
Passwords and other sensitive information are encrypted with strong encryption algorithims.
All our employees and contractors (workers) sign confidentiality agreements before gaining access to our code and data.
- Vulnerability Management
We use automated tools provided by GitHub to scan our codebase for vulnerabilities. If vulnerabilities are found, they are triaged and fixed in a timely manner determined by the serverity of the issue.
- Incident Response and Remediation
We strive for a 99.99% uptime across all our products.
All of our services are deployed in at least two availability zones to mitigate any single data center availability issues.
In the unlikely event that data stored in the Ucentric database were to be lost or damaged, we would be able to restore from backup with a loss of data no more than 5 minutes.
We monitor our services 24/7 using automated tools. An engineer will be on call to respond to events. We post incidents and scheduled maintenance on our status page. Users can subscribe to updates via RSS.
Payments & Billing
We use Stripe for processing payments. As a result, we do not store information such as credit card numbers. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1.
Security is a top priority for Ucentric so we welcome the discovery of any vulnerability which might compromise security. We will publicly acknowledge researchers for disclosing their findings.
- Email email@example.com. Sensitive information should be always be encrypted using our PGP key (found below).
- We will respond to your email within 48 hours and update you on the progress of your disclosure.
- We only credit the first person to report an issue. Issues deemed too low in severity will not receive a public acknowledgement.
- No legal action will be taken and we will handle your disclosure with strict confidentiality.
We use PGP to communicate in a secure manner. You can find our public key below:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBF+DVQ4BCAC+D4wRHfrJS9LlIg34ZXpHgGm+f4geBax7S+5jTQbPuzCbTXD2 RgCp9uCdVOwFftKVbC9DWhjx30VRucsGXAVrFNADc79z5dzNS4r3yX2XE30IlHtQ q5Lk3vTpKEIhzf5C1DSAQX2lZz558+bkNIZfAaDveT+2hEXyIrEc519m0EVIvZr7 jcnhUYwhLiKhcxVIgYho+WtpreG8Q1492dxH4PgT5OENqvHsE15yWebyNyQUyhR8 89mIHoybyOx87fuhSc/PAc42lRN45R1nr8JMfK8qAuTSuy9yWL3ejpAHjGRKAHSs oUaUCRu0RgW5xYwNEjCsyT+8XcXdORjTys2BABEBAAG0KlVjZW50cmljIChTZWN1 cml0eSkgPHNlY3VyaXR5QHVjZW50cmljLmlvPokBTgQTAQgAOBYhBBr11Qo8hAI+ nNc09KK0fjt1MMd2BQJfg1UOAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ EKK0fjt1MMd2uJYIAKtB6qsvIxhPI+f1faNmvzM8Bg7RcaOqbQAhBsxIy4LKEssh YzXqhD210xkKMX69Bc+ZdPjc19OY/0n+5rvxdRGJT2WyCKpLLqtCPiaJ1kS8e7h4 kVfBOasSvYrsacNOP7ljlBDI8iBkuq9jw69HjZNxlXZ7QrAs9UCLY3kF8RrDh/cm nR9RjDrTC1ONXCviP4/IgReIcDC8eQ24rAcnA4N/SmjgZwB7yU9zc0LrTwI0vlr3 v/uv5gmvv22JXu9rGZN0KSFszT7m+04urNiGnFI0CmWOFGv3n0YbMfpxNLh7s46e XTjgAGFd4laZaI2E6cHSaGcPaEVzyPrcXz7eThG5AQ0EX4NVDgEIAMXmFEEMamvq 4/aizbvRWqDTNtf0k52cXiQ8hCda3zTVlRDODDgupT+XV144yBQIxbh8msAdbPJa pV+qio0Korw81nYc35tI5ksgflSwxZFYU60Cbxy4zKwTuVO9zMccbxhwhYuRwELX fMM//OGSQuHtFFlCZB2e9QOykj+4r7BQ9NAnAyBG3vMAoEenJ0qawJG5lHBRgncK IqgsvVN5hFp875Prlyhy3axZ2nPlH8pdMm77MaoCd5j5it4NAzTqHznuuy7P48ei Y0bOui7qPhFXOLiEgivItNeuJjliREB1uCgeN7UTsaTPsRpoaxzFfdAFqNn3u7Td gKjoCx5UTAsAEQEAAYkBNgQYAQgAIBYhBBr11Qo8hAI+nNc09KK0fjt1MMd2BQJf g1UOAhsMAAoJEKK0fjt1MMd2u58IAKaokCqH+BIrezPozdmKkoeTRfxNII+VAqjE zr0USqWfZj5gxQmQIlb+v84rkoeBziJEC0g5F+Aghg8scXzvQJ1ev1L528ZjRVBZ GIy3DMp5x6XFbaMErpNU235mZ5sjjKMCm7+446bZO6yYRSCZQ/FBFTmulr7HqDOh 2T2BrFY2lEe195BwsA6NHJfwN/oi4fyTJ038ocMVFGg67+2stDCrYn/6eQYrlc3H iNZ07wKxwE0loTkItXvMmTXCvR49QHqEqHbjWZk2SoVKYv75s77KtwNs0+itELlv EdAQKndTxli9M2h7MaIxo6IKby7QZTRHLzghK1/4OHUs94D8plE= =rtH5 -----END PGP PUBLIC KEY BLOCK-----