Your Data Is Safe With Us
Enterprise-grade security is built into every layer of UpGPT. We protect your data with the same standards used by Fortune 500 companies.
Security Practices
We follow industry best practices and continuously invest in security infrastructure.
Encryption at Rest & In Transit
All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Database connections use SSL-only mode with certificate verification.
Data Isolation
Each client's data is isolated using row-level security (RLS) policies with per-client access controls. All data access is enforced at the database level through Supabase RLS. Your data is never shared with or accessible to other tenants.
No Model Training on Your Data
Your proprietary data is never used to train, fine-tune, or improve any AI models. We use the Anthropic API with zero-retention data processing agreements.
Authentication & Access Control
Multi-factor authentication, OAuth 2.0 with Google (Microsoft coming soon), role-based access control, and API key management with granular permissions.
Infrastructure Security
Hosted on enterprise-grade cloud infrastructure with automated backups, point-in-time recovery, and DDoS protection. We target 99.9% uptime, backed by Supabase's managed infrastructure. Uptime monitoring is available on our status page.
Audit Logging
Key administrative actions are logged with timestamps and user identity. We are building comprehensive audit logging with configurable retention (roadmap Q3 2026).
Compliance
Our compliance roadmap — because trust is earned, not claimed.
| Framework | Status |
|---|---|
| SOC 2 Type II | In Progress |
| GDPR | Compliant |
| CCPA | Compliant |
| ISO 27001 | Roadmap |
How We Handle Your Data
Where is my data stored?
All data is stored in Supabase-managed PostgreSQL databases hosted on AWS infrastructure in the US-East region. Point-in-time recovery is enabled with daily automated backups.
Who can access my data?
Only you and authorized members of your team. UpGPT engineers can access infrastructure for maintenance but never view customer data without explicit authorization. All access is logged.
What happens if I cancel?
Upon cancellation, you can export all your data via API or CSV. Upon account deletion, we initiate data removal within 30 days. Contact support@upgpt.ai to request immediate deletion.
Do you share data with third parties?
Never. We do not sell, share, or provide your data to third parties. AI model providers (Anthropic) process data with zero-retention agreements — nothing is stored or used for training.
How do I report a security concern?
Email security@upgpt.ai. We acknowledge all reports within 24 hours and provide resolution timelines within 72 hours. We do not currently have a bug bounty program but plan to launch one in Q4 2026.
Have Security Questions?
We're happy to discuss our security practices, provide documentation for your procurement team, or walk through our architecture.