Security is at the core of everything we do—whether it’s the code we write, the tools we use, or the platform services we offer. At Updraft, we understand the trust you place in us to empower your developers to deliver high-quality software quickly, and we are dedicated to safeguarding that trust.
We’re proud to be ISO 27001 certified, and our team is always ready to address any security-related questions you might have.
At Updraft, we ensure that software works seamlessly for everyone, whenever they need it.
Transparency is a key part of our security promise. In the rare event of a security incident, we commit to disclosing all relevant information. However, our top priority is protecting our customers and ensuring uninterrupted operations. When disclosure could heighten risks, we ask for the necessary time to address vulnerabilities before sharing details.
Version March 2025
Updraft Co. Apps with love AG implements the following measures to ensure the confidentiality, integrity, availability, and resilience of systems when processing personal data. These measures are reviewed and updated regularly and can be contractually agreed upon upon request.
Security Risk Management
Potential security risks are regularly identified, evaluated, and prioritized for resolution. Appropriate controls and mitigation strategies are established, implemented, and validated. Updraft follows the Statement of Applicability (SoA), also known as a “declaration of applicability”, summarizing the goals and measures of our organization.
Security Policies
A comprehensive security framework and guides has been defined, with clear standards that drive continuous improvement and adaptation to strengthen the organization’s security.
Third-Party Risk Management
All external vendors are carefully evaluated through a rigorous due diligence process prior to engagement and onboarding.
Security Awareness
Employees are required to complete annual training sessions to ensure a strong understanding of security protocols, practices and tests.
Professional Development
Ongoing education is emphasized to ensure team members stay informed about the latest technologies and security advancements.
Physical access to Updraft Co. Apps with love premises are restricted to authorized personnel only.
Refer to the internal IT & Security Guidelines.
Access to log files and backups is strictly limited.
Multi-factor authentication (MFA) is enforced across all systems.
Permissions are granted based on the principle of least privilege.
User accounts of employees or project members who leave the company or project are deactivated or deleted immediately.
Access rights are reviewed regularly to ensure only necessary permissions are maintained.
All employees and suppliers are contractually bound to confidentiality agreements.
Passwords are generated using secure methods and updated regularly.
Password policies are activated in systems wherever possible.
Access to APIs, CMS, websites, etc., is limited to encrypted protocols such as HTTPS/SSL.
Other communication channels (e.g., MQTT) are encrypted as well.
Updraft applies a clear data classification framework to ensure that all data is categorized according to its sensitivity and protection requirements. This framework helps to manage and safeguard personal data appropriately.
Updraft ensures that test data used in development, testing, or QA environments does not compromise the security or privacy of real personal data.
Local firewalls are activated on all hosts.
Only necessary ports are opened for WAN and LAN access.
Open ports are regularly monitored and audited automatically.
Servers are patched and updated regularly.
Server management is conducted exclusively via secure VPN connections.
Secure keys are used for server access instead of passwords.
The networks are segmented and resilient, network access is protected, and traffic is analyzed and filtered.
Log data is collected and analyzed in secure, external systems.
Open ports, server status, and application health are continuously monitored.
Monitoring tools are employed to ensure system integrity and detect anomalies.
Secure software development follows established standards and best practices.
Security requirements are integrated early in the development process.
Regular code reviews and automated security testing are conducted.
Development guidelines adhere to recognized security frameworks (e.g., OWASP Top 10).
A defined process is in place for managing security incidents.
Incidents are promptly recorded, analyzed, and documented.
Mitigation and remediation measures are implemented immediately.
Affected parties and authorities are notified promptly when required.
Post-incident analysis is conducted to identify vulnerabilities and prevent recurrence.
The Computer Emergency Response Team is called out as soon as a security incident is reported
Session authentication tokens are valid for a maximum of 24 hours and are automatically refreshed.
All active tokens are revoked when a password is changed.
Access to data and systems is restricted to authorized personnel and requires MFA.
External partners are thoroughly vetted through a due diligence process before onboarding.
All employees must complete annual security awareness training.
Ongoing education and training are encouraged to stay up to date with new technologies and emerging threats.
Technical and organizational measures (TOM) and their effectiveness are reviewed and updated every six months.
Updraft implements robust disaster recovery and backup procedures to ensure the continuity and resilience of services in the event of a data loss, system failure, or other critical incidents.
Daily, redundant backups ensure data availability.
Security measures undergo regular audits and penetration tests.
Any data breaches are promptly communicated to affected parties.
Logs and backups are securely stored with restricted access.
Log data is centralized for enhanced security monitoring.
13. Data Protection Officer
Updraft collaborates with Arioli Law, Zurich, for data protection matters. Internal experts handle technical and organizational security questions under the management of our CISO.
Updraft Co. Apps with love AG ensures the physical security of all data and infrastructure related to the service through a combination of robust measures.
Data Storage: All data used by Updraft is securely hosted on Exoscale's servers in Switzerland. Exoscale is a trusted partner, certified according to ISO 27001, ISO 27017, and ISO 27018, which ensures that all physical and digital security practices meet international standards.
Facility Security: Exoscale’s data centers are physically secured with stringent access controls, including surveillance, alarm systems, and restricted access to authorized personnel only.
Encryption: Data transmitted to Exoscale is encrypted using SSL/TLS protocols to ensure data protection during transmission. This includes the secure transfer of app versions (.ipa, .apk, .aab, .msix, .zip, .msi, .appx, and more).
Access Control: Access to Exoscale’s infrastructure is strictly regulated. Multi-factor authentication (MFA) is mandatory for infrastructure management, ensuring that only authorized personnel can manage and maintain the system.
Network Security: Access to Updraft’s infrastructure is only possible via predefined, secure networks. Role-based access control ensures that only the necessary users have specific access rights to the systems, reducing the risk of unauthorized access.
After you submit an incident, our team will assess it and attempt to reproduce the bug to confirm its validity. You will be notified that we are actively working on the issue and will provide updates shortly.
The vulnerability will then be classified, rated, and prioritized. At this point, you will receive an email with an estimated timeline for resolution.
Report the incident via: support@getupdraft.com