Security at Uphold
Access and Encryption
Uphold takes a holistic approach to our Information Security and Personal Information protection programs. These programs are designed to meet or exceed regulatory requirements, establish the highest levels of trust with our members, and prevent bad actors from taking advantage of our systems, members, employees, or brand.
Measures include but are not limited to:
- Software and security patches are constantly monitored and updated.
- All emails may be encrypted in transit.
- We enforce Role Based Access for sensitive operations or functions.
- We employ Smart Card Access readers at all office locations, which control access to the main spaces and sensitive operational areas.
- We use SQL injection filters and write models and validation patterns for each individual data field.
- We follow Test Driven Development (TDD) processes, complete with full unit, functional security and integration testing.
- Application credentials are kept separate from the database and code base.
- The site runs entirely over TLS (https).
- Private keys are protected using strong encryption methods.
- Uphold undertakes independent security audits at least annually to ensure that any potential vulnerability related to our web network environments are fixed promptly. These security reviews include diagnostic reviews of devices and internal and external penetration testing, as well as assessment of policies, procedures and security standards.
- Uphold uses a combination of internal security professionals and external security firms to conduct Penetration testing of our systems several times per year. These tests are designed to ensure the security controls in place are effective and adequate to protect your personal information and money.
- We utilize continual vulnerability scanning and assessments for internal and external systems checking for security weaknesses and taking corrective action immediately if any are found.
- The Uphold Security Team conducts recurring audits to ensure compliance by all employees.
- The Uphold Security Operations Center monitors our systems 24 hours a day, 7 days a week, 365 days a year and responds to suspicious activity immediately as they arise.
- We have independent third-party auditors complete financial audits and comply with all applicable laws
Regulatory Compliance & Anti-Money Laundering (AML) Controls
- Uphold works with licensed banking partners in the US and is regulated by the United States Treasury Department regulator, FinCEN.
- In the EU, Uphold is partnered with an Authorised Payment Institution regulated by the FCA (UK Financial Conduct Authority).
- Operating as a regulated financial service provider, Uphold must comply with global Anti-Money Laundering (AML) controls. Uphold is 100% committed to keeping member personal information safe and transactions anonymous. However, as with all financial service providers operating compliantly, we are required by law to record information about members and transactions and, at times, provide these to law enforcement officials. We seek to follow all applicable local, state, federal and international law concerning the protection of consumer data including, but not limited, to the EU data protection requirements, Gramm-Leach-Bliley Act (GLBA) in the US, and the People's Republic of China regulations to protect personal information.
- Uphold is required to adhere to Payment Card Industry Data Security Standards (PCI-DSS) to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is performed annually by an external Qualified Security Assessor (QSA).
- We adhere to Office of Foreign Assets Control (“OFAC”) regulations
- All Uphold employees must pass a thorough background check, including criminal record check, financial records, education credentials and reference checks as part of the hiring process.
- All employees are required to use screen locking and follow best practices for safe storage of equipment.
- Employees are required to use and maintain strong passwords or passphrases in all the services they access and administrative accounts must use approved 2 factor authentication methods.
- Employees undergo continuous training on security best practices.