Security At Ucentric

At Ucentric, we take the security and privacy of our customers and our customer's users extremely serious by describing it in papers https://papermasters.org/

Below you'll find information about how we build and maintain secure systems. For information about privacy, view our Privacy Page.

Application Security Features

We value the privacy and security of our users so we've built various features right into our product to make your experience with Ucentric more secure. Visit our Knowledge Base to learn how to take advantage of these features in your Ucentric account.

  • Role Based Access Controls

    Following the rule of least privilege, we give your account members access to only the things they need. Permissions can be set to allow read only access to data.

  • Multi-Factor Authentication

    Users authenticating with username and password can optionally set up another authentication factor by using TTOP. Alternatively, users can authenticate through a federated provider like Google.

  • Session Control & Session Logging

    Every session is logged and viewable by the end user in the account's session history. Details like IP address, location and User Agent help you to spot suspicious behavior. Active sessions can be revoked - immediately logging out devices.

  • Password Restrictions

    Ucentric follows industry best practices, requiring users to have a password which contains at least one number and symbol.

  • Signature Validation

    Ucentric uses optional signature validation to control access to your content and to verify webhook messages. By creating a token using your API key and secret, you can limit access to your content to only users who are authenticated by your system and possess the token you've created. A similar practice can be followed for webhooks to verify that the webhook was actually sent by Ucentric and not another party.

  • 0 Downtime API Key Rotation

    Ucentric supports creation of multiple API keys, allowing you to rotate credentials without any effect on your application.

  • Origin Allowlist

    Mark specific origins as allowed to load client-side code from your account. This prevents others from loading your Ucentric content without your permission.

  • Encryption In Transit

    All Ucentric applications use HTTPS exclusively. Insecure connections are automatically routed to secure connections.

Engineering Security Practices

Our engineering practices include high coding standards and a variety of processes desgined to guard against attempted security breaches.

  • Internal R&D Processes

    Ucentric utilizies high quality development processes and coding standards to ensure that adhere to the best security practices.

    Our engineers regularly particpate in security awareness training and secure applications training.

    Immutable infrastructure - We don’t make changes to live code or running servers in production. Where applicable, we use Terraform, Docker and other tools to treat infrastructure as code.

    We are using continuous integration and deployment automation.

  • Instance and Network Security

    Ucentric utilizes enryption at rest for databases, as well as automated backups. Every Ucentric service runs inside a well-defined Docker container that allows specific levels of access. Our network is segmented using security groups, VPCs, and ACLs in Amazon Web Services.

  • Physical Data Center Security

    Ucentric runs on Amazon Web Services and as a result, inherits the control environment which AWS maintains and demonstrates via SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Data centers are secured and monitored 24/7, and physical access to AWS is limited to AWS staff.

    All data centers are location in the United States.

  • Access Management

    All traffic to Ucentric services occurs over a secure TLS connection.

    We host our systems with Amazon Web Services. We use strong, unique passwords and multi-factor authentication (when available) for all of these services, and limit access to only Ucentric staff and systems which have a legitimate need.

    Access to customer data by Ucentric employees is limited to an as-needed basis (e.g., to resolve customer issues).

  • Data Confidentiality and Retention

    Ucentric does not rent, sell, trade or disclose your Personal Information to third parties without your consent, except as specified in our Privacy Policy.

    We store backups of selections of our data in the cloud, and our maximum retention period for backups is 90 days.

    When requested, we will destroy a user’s account, removing all customer data associated with that account.

    Passwords and other sensitive information are encrypted with strong encryption algorithims.

    All our employees and contractors (workers) sign confidentiality agreements before gaining access to our code and data.

  • Vulnerability Management

    We use automated tools provided by GitHub to scan our codebase for vulnerabilities. If vulnerabilities are found, they are triaged and fixed in a timely manner determined by the serverity of the issue.

  • Incident Response and Remediation

    We strive for a 99.99% uptime across all our products.

    All of our services are deployed in at least two availability zones to mitigate any single data center availability issues.

    In the unlikely event that data stored in the Ucentric database were to be lost or damaged, we would be able to restore from backup with a loss of data no more than 5 minutes.

    We monitor our services 24/7 using automated tools. An engineer will be on call to respond to events. We post incidents and scheduled maintenance on our status page. Users can subscribe to updates via RSS.

Data Collection, Privacy, And GDPR

For more information on our data collection and privacy policies, visit our Privacy Page

Payments & Billing

We use Stripe for processing payments. As a result, we do not store information such as credit card numbers. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1.

Responsible Disclosure

Security is a top priority for Ucentric so we welcome the discovery of any vulnerability which might compromise security. We will publicly acknowledge researchers for disclosing their findings.

Guidelines

  • Email [email protected]. Sensitive information should be always be encrypted using our PGP key (found below).
  • We will respond to your email within 48 hours and update you on the progress of your disclosure.
  • We only credit the first person to report an issue. Issues deemed too low in severity will not receive a public acknowledgement.
  • No legal action will be taken and we will handle your disclosure with strict confidentiality.

Enrypted Communication

We use PGP to communicate in a secure manner. You can find our public key below:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBF+DVQ4BCAC+D4wRHfrJS9LlIg34ZXpHgGm+f4geBax7S+5jTQbPuzCbTXD2
RgCp9uCdVOwFftKVbC9DWhjx30VRucsGXAVrFNADc79z5dzNS4r3yX2XE30IlHtQ
q5Lk3vTpKEIhzf5C1DSAQX2lZz558+bkNIZfAaDveT+2hEXyIrEc519m0EVIvZr7
jcnhUYwhLiKhcxVIgYho+WtpreG8Q1492dxH4PgT5OENqvHsE15yWebyNyQUyhR8
89mIHoybyOx87fuhSc/PAc42lRN45R1nr8JMfK8qAuTSuy9yWL3ejpAHjGRKAHSs
oUaUCRu0RgW5xYwNEjCsyT+8XcXdORjTys2BABEBAAG0KlVjZW50cmljIChTZWN1
cml0eSkgPHNlY3VyaXR5QHVjZW50cmljLmlvPokBTgQTAQgAOBYhBBr11Qo8hAI+
nNc09KK0fjt1MMd2BQJfg1UOAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJ
EKK0fjt1MMd2uJYIAKtB6qsvIxhPI+f1faNmvzM8Bg7RcaOqbQAhBsxIy4LKEssh
YzXqhD210xkKMX69Bc+ZdPjc19OY/0n+5rvxdRGJT2WyCKpLLqtCPiaJ1kS8e7h4
kVfBOasSvYrsacNOP7ljlBDI8iBkuq9jw69HjZNxlXZ7QrAs9UCLY3kF8RrDh/cm
nR9RjDrTC1ONXCviP4/IgReIcDC8eQ24rAcnA4N/SmjgZwB7yU9zc0LrTwI0vlr3
v/uv5gmvv22JXu9rGZN0KSFszT7m+04urNiGnFI0CmWOFGv3n0YbMfpxNLh7s46e
XTjgAGFd4laZaI2E6cHSaGcPaEVzyPrcXz7eThG5AQ0EX4NVDgEIAMXmFEEMamvq
4/aizbvRWqDTNtf0k52cXiQ8hCda3zTVlRDODDgupT+XV144yBQIxbh8msAdbPJa
pV+qio0Korw81nYc35tI5ksgflSwxZFYU60Cbxy4zKwTuVO9zMccbxhwhYuRwELX
fMM//OGSQuHtFFlCZB2e9QOykj+4r7BQ9NAnAyBG3vMAoEenJ0qawJG5lHBRgncK
IqgsvVN5hFp875Prlyhy3axZ2nPlH8pdMm77MaoCd5j5it4NAzTqHznuuy7P48ei
Y0bOui7qPhFXOLiEgivItNeuJjliREB1uCgeN7UTsaTPsRpoaxzFfdAFqNn3u7Td
gKjoCx5UTAsAEQEAAYkBNgQYAQgAIBYhBBr11Qo8hAI+nNc09KK0fjt1MMd2BQJf
g1UOAhsMAAoJEKK0fjt1MMd2u58IAKaokCqH+BIrezPozdmKkoeTRfxNII+VAqjE
zr0USqWfZj5gxQmQIlb+v84rkoeBziJEC0g5F+Aghg8scXzvQJ1ev1L528ZjRVBZ
GIy3DMp5x6XFbaMErpNU235mZ5sjjKMCm7+446bZO6yYRSCZQ/FBFTmulr7HqDOh
2T2BrFY2lEe195BwsA6NHJfwN/oi4fyTJ038ocMVFGg67+2stDCrYn/6eQYrlc3H
iNZ07wKxwE0loTkItXvMmTXCvR49QHqEqHbjWZk2SoVKYv75s77KtwNs0+itELlv
EdAQKndTxli9M2h7MaIxo6IKby7QZTRHLzghK1/4OHUs94D8plE=
=rtH5
-----END PGP PUBLIC KEY BLOCK-----

General Contact

For general questions on Ucentric's security practices, data policies, or to learn more about how you can implement Ucentric in a secure way, please contact .