Skip to content

    SECURITY AND PRIVACY

    Security and privacy at Uplift.

    Uplift takes the security and privacy of our customers, partners, and employees seriously. Our cybersecurity and data protection programme is designed to align with globally recognized standards and frameworks, and to meet our legal and contractual obligations in a transparent, evidence-based way.

    Frameworks we align with.

    ISO/IEC 27001

    Information Security Management. Target: certified by end of May 2026. Active roadmap with independent assessment.

    SOC 2

    Trust Services Criteria across Security, Availability, Processing Integrity, Confidentiality, and Privacy. Type II attestation targeted for Q4 2026.

    NIST SP 800-53 and CSF

    Security and Privacy Controls for Information Systems plus the NIST Cybersecurity Framework. Used as the baseline our internal controls map back to.

    GDPR and CCPA aligned

    Applicable privacy and data protection regulations honored where relevant. DPA and Article 28 processor terms available on request.

    Key security controls.

    Our security programme is built around eight core areas. Each one has documented owners, defined controls, and evidence we can share under NDA.

    Governance, risk, and compliance.

    Documented security policies, risk management process, defined roles and responsibilities, and a security roadmap reviewed against formal certification milestones.

    Identity and access management.

    Centralized identity via Google SSO. MFA enforced across every user account. Role-based access control limiting privileges to the minimum required for each role.

    Infrastructure and endpoint.

    Hardened configurations, regular patching, endpoint protection, network security controls, and secure remote access for the team.

    Cloud and application security.

    Secure configuration of cloud platforms and security baked into the software development lifecycle. Active use of GCP Security Command Center including Vulnerability Assessment, Web Security Scanner, Event Threat Detection, and Cloud Run Threat Detection.

    AI security.

    Inference calls to AI providers (OpenAI, Google Gemini) operate under Zero Data Retention agreements. Customer data passing through agents is not stored by these providers and is not used to train their models.

    Business continuity and incident response.

    Backups, centralized logging, security monitoring, disaster recovery and continuity procedures for critical services, written incident response plans and playbooks, and annual third-party penetration testing.

    Third-party security.

    Risk-based onboarding and ongoing oversight of every vendor or service provider that may touch customer data.

    Security awareness and privacy.

    Ongoing staff training. Privacy-by-design baked into product and process decisions, not bolted on after the fact.

    Where your data lives.

    Uplift runs on Google Cloud Platform with security tooling layered through Google Cloud Security Command Center - Vulnerability Assessment, Web Security Scanner, Event Threat Detection, and Cloud Run Threat Detection.

    Inference calls to AI providers (OpenAI, Google Gemini) run under Zero Data Retention agreements. Customer data passing through agents is not stored by those providers and is not used to train their models.

    Cloud provider
    Google Cloud Platform
    Security tooling
    GCP Security Command Center suite
    AI providers
    Zero Data Retention agreements in place
    Penetration testing
    Annual, by independent third party

    Access, tailored to you.

    We use centralized identity via Google SSO with MFA enforced across every user account. Access is granted on the principle of least privilege - every role gets exactly what it needs and nothing more.

    If your security team needs specific access patterns, controls, or audit trails for your environment, we configure them during onboarding. Bring the requirements.

    • Centralized identity via Google SSO
    • MFA enforced across all user accounts
    • Role-based access control with least-privilege defaults
    • Custom access patterns scoped during onboarding
    • One-click revoke for any agent, integration, or user

    Incident response.

    We monitor and back up around the clock.

    Centralized logging, security monitoring, and disaster recovery procedures cover every critical service.

    We follow written playbooks.

    Incident response plans and playbooks are documented, tested, and updated. Customer notifications follow applicable regulatory timelines.

    We test ourselves annually.

    Independent penetration testing happens at least once a year. Findings feed back into the security roadmap.

    AI security.

    Agents that Uplift builds send inference calls to large language model providers. We only work with providers who have signed Zero Data Retention agreements with us - currently OpenAI and Google Gemini.

    Practically: customer data passing through these models is not stored on the provider's infrastructure, and it is not used to train future versions of the model.

    Vendors and subprocessors.

    Every vendor or service provider with potential access to customer data goes through risk-based onboarding and ongoing oversight. We keep an up-to-date subprocessor register including purpose, region, and the date last reviewed.

    The full register is shared with customers under NDA as part of the security pack. Email dennis@getuplift.ai to request a copy or with any security-related question.

    Further information.

    Security pack on request.

    More detailed information about our security controls, data handling practices, and roadmap is provided under NDA on request. Email dennis@getuplift.ai.

    Have a security questionnaire?

    Send it to dennis@getuplift.ai. SIG, CAIQ, or your own format - we'll come back with a pre-filled response.

    Want to bring this to your security team?

    Request access and we'll send the full security pack within 48 hours.

    Request the security pack