Security At Ucentric

At Ucentric, we take the security and privacy of our customers and our customer's users extremely serious by describing it in papers

Below you'll find information about how we build and maintain secure systems. For information about privacy, view our Privacy Page.

Application Security Features

We value the privacy and security of our users so we've built various features right into our product to make your experience with Ucentric more secure. Visit our Knowledge Base to learn how to take advantage of these features in your Ucentric account.

  • Role Based Access Controls

    Following the rule of least privilege, we give your account members access to only the things they need. Permissions can be set to allow read only access to data.

  • Multi-Factor Authentication

    Users authenticating with username and password can optionally set up another authentication factor by using TTOP. Alternatively, users can authenticate through a federated provider like Google.

  • Session Control & Session Logging

    Every session is logged and viewable by the end user in the account's session history. Details like IP address, location and User Agent help you to spot suspicious behavior. Active sessions can be revoked - immediately logging out devices.

  • Password Restrictions

    Ucentric follows industry best practices, requiring users to have a password which contains at least one number and symbol.

  • Signature Validation

    Ucentric uses optional signature validation to control access to your content and to verify webhook messages. By creating a token using your API key and secret, you can limit access to your content to only users who are authenticated by your system and possess the token you've created. A similar practice can be followed for webhooks to verify that the webhook was actually sent by Ucentric and not another party.

  • 0 Downtime API Key Rotation

    Ucentric supports creation of multiple API keys, allowing you to rotate credentials without any effect on your application.

  • Origin Allowlist

    Mark specific origins as allowed to load client-side code from your account. This prevents others from loading your Ucentric content without your permission.

  • Encryption In Transit

    All Ucentric applications use HTTPS exclusively. Insecure connections are automatically routed to secure connections.

Engineering Security Practices

Our engineering practices include high coding standards and a variety of processes desgined to guard against attempted security breaches.

  • Internal R&D Processes

    Ucentric utilizies high quality development processes and coding standards to ensure that adhere to the best security practices.

    Our engineers regularly particpate in security awareness training and secure applications training.

    Immutable infrastructure - We don’t make changes to live code or running servers in production. Where applicable, we use Terraform, Docker and other tools to treat infrastructure as code.

    We are using continuous integration and deployment automation.

  • Instance and Network Security

    Ucentric utilizes enryption at rest for databases, as well as automated backups. Every Ucentric service runs inside a well-defined Docker container that allows specific levels of access. Our network is segmented using security groups, VPCs, and ACLs in Amazon Web Services.

  • Physical Data Center Security

    Ucentric runs on Amazon Web Services and as a result, inherits the control environment which AWS maintains and demonstrates via SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Data centers are secured and monitored 24/7, and physical access to AWS is limited to AWS staff.

    All data centers are location in the United States.

  • Access Management

    All traffic to Ucentric services occurs over a secure TLS connection.

    We host our systems with Amazon Web Services. We use strong, unique passwords and multi-factor authentication (when available) for all of these services, and limit access to only Ucentric staff and systems which have a legitimate need.

    Access to customer data by Ucentric employees is limited to an as-needed basis (e.g., to resolve customer issues).

  • Data Confidentiality and Retention

    Ucentric does not rent, sell, trade or disclose your Personal Information to third parties without your consent, except as specified in our Privacy Policy.

    We store backups of selections of our data in the cloud, and our maximum retention period for backups is 90 days.

    When requested, we will destroy a user’s account, removing all customer data associated with that account.

    Passwords and other sensitive information are encrypted with strong encryption algorithims.

    All our employees and contractors (workers) sign confidentiality agreements before gaining access to our code and data.

  • Vulnerability Management

    We use automated tools provided by GitHub to scan our codebase for vulnerabilities. If vulnerabilities are found, they are triaged and fixed in a timely manner determined by the serverity of the issue.

  • Incident Response and Remediation

    We strive for a 99.99% uptime across all our products.

    All of our services are deployed in at least two availability zones to mitigate any single data center availability issues.

    In the unlikely event that data stored in the Ucentric database were to be lost or damaged, we would be able to restore from backup with a loss of data no more than 5 minutes.

    We monitor our services 24/7 using automated tools. An engineer will be on call to respond to events. We post incidents and scheduled maintenance on our status page. Users can subscribe to updates via RSS.

Data Collection, Privacy, And GDPR

For more information on our data collection and privacy policies, visit our Privacy Page

Payments & Billing

We use Stripe for processing payments. As a result, we do not store information such as credit card numbers. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1.

Responsible Disclosure

Security is a top priority for Ucentric so we welcome the discovery of any vulnerability which might compromise security. We will publicly acknowledge researchers for disclosing their findings.


  • Email [email protected]. Sensitive information should be always be encrypted using our PGP key (found below).
  • We will respond to your email within 48 hours and update you on the progress of your disclosure.
  • We only credit the first person to report an issue. Issues deemed too low in severity will not receive a public acknowledgement.
  • No legal action will be taken and we will handle your disclosure with strict confidentiality.

Enrypted Communication

We use PGP to communicate in a secure manner. You can find our public key below:



General Contact

For general questions on Ucentric's security practices, data policies, or to learn more about how you can implement Ucentric in a secure way, please contact .