Compliance Security

Security and compliance are top priorities for uxpressia because they are fundamental to your experience with the product. Uxpressia is committed to securing your application’s data, eliminating systems vulnerability, and ensuring continuity of access.

Uxpressia uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. 

If you would like to report a vulnerability or have any security concerns with a uxpressia product, please contact support@uxpressia.com.

PCI DSS

Uxpressia’s payment and card information is handled by Stripe, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry.

Uxpressia does not typically receive credit card data, making it compliant with Payment Card Industry Data Security Standards (PCI DSS) in most situations.

Check our Payment Policy to get more information.

Commitment to GDPR

General Data Protection Regulation (GDPR) is a European regulation to strengthen and unify the data protection of EU citizens. As of the 25th of May 2018, all companies worldwide that store and process data about EU citizens will be required to comply with GDPR.

Uxpressia is taking particular steps across the entire company to ensure we will be ready for the GDPR. Based on the research conducted by both our inside and outside counsels we are confident our changes will address the requirements of GDPR.

Uxpressia revised technical and management measures to protect your data and comply GDPR requirements:

• Updated Privacy policy (done) , Terms of Use (done) , Payment Policy (in development) and Cookie Policy (in development) according to GDPR requirements
• Revised data mapping and activities to process personal data (done)
• Forget me button in the account settings section (in development)
• Restrict processing button in account setting section (in development)
• Export personal data  function (in development)
• Allow users to edit their profile  (done)
• Granular consents (in development)
• Log processing activities with personal data (done)
• Revised and updated the following internal policies:
  • Backup policy (done)
  • Data Retention Policy (done)
  • Data Disposal Policy (done)
  • Disaster Recovery and business continuity (done)
  • Coding standards and rollout procedure (done)
  • Cryptographic control policy (done)
  • Employment policy and processes (done)
  • Security incident response policy (done)
  • System access control Policy (done)
  • SLA and escalation procedures (done)
  • Data Breach Notification Form to the Supervisory Authority (in development)
  • Data Breach Notification Form to the Data Subjects (in development)
• Revised Uxpressia Architecture Design Document and implemented technical measures (done)

Infrastructure and Network Security

Physical Access Control

Uxpressia uses Linode Cloud Hosting with London, UK data Center as a hosting provider. Linode Cloud hosting is compliant with HIPAA, PCI DSS and GDPR.

Linode data centers feature a layered security model, including extensive safeguards.

Uxpressia employees do not have physical access to Linode data centers, servers, network equipment, or storage.

Logical Access Control

Uxpressia is the assigned administrator of its infrastructure on Linode Cloud Platform, and only designated authorized Uxpressia operations team members have access to configure the infrastructure. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted locations.

Penetration Testing

Uxpressia undergoes black box penetration testing, conducted by an independent, third-party agency, on an annual basis. For black box testing, Uxpressia provides the agency with an isolated clone of a test client Uxpressia instance and a high-level diagram of application architecture.

Intrustion Detection and Prevention

Uxpressia has installed the intrusion detection system dhound.io on each server that allows to detect and react on a security events and incidents in real time.

Business Continuity and Disaster Recovery

High Availability

Uxpressia is configured in High-availability model and uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.

Business Continuity

Uxpressia keeps regular hourly encrypted backups of data outside of the servers (dedicated file storage). While never expected, in the case of production data loss (i.e., primary data stores lost), Uxpressia will able restore data from these backups.

Disaster Recovery

In the event of a region-wide outage, Uxpressia has a plan how quickly bring up a duplicate environment on another hosting provider within EU. The uxpressia operations team has extensive experience performing secured migrations.

Data Security and Privacy

Data Encryption

All data in Uxpressia servers is automatically encrypted at rest. RSA 2048 is used for backup encryptions. All private keys are kept separately from the live environment.

So, if an intruder were ever able to access any of the physical storage devices, the Uxpressia data contained therein would still be impossible to decrypt without the keys, rendering the information a useless jumble of random characters.

Uxpressia uses only world-standard encryption algorithms:

• AES 256 for symmetric encryption
• RSA 2048 for assymetric encryption
• SHA512+RSA2048 for digital signing of Uxpressia assets

Data in Motion

All communication are restricted with using only encrypted channels. Only TLS 1.0, 2.0, 3.0 and higher allowed. The current level of SSL Configuration is A (https://www.ssllabs.com/ssltest/analyze.html?d=uxpressia.com)

Corporate Security

Malware Protection

Uxpressia believes that good security practices start with our own team, so Uxpressia goes out of own way to protect against internal threats and local vulnerabilities. All company-provided workstations run antiviruses, strongly configured firewalls and other security features.

Risk Management

Uxpressia follows the risk management procedures outlined in NIST SP 800-30, which include nine steps for risk assessment and seven steps for risk mitigation.

All Uxpressia product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on Uxpressia’s operations team have secure shell (SSH) access to production servers.

Uxpressia performs testing and risk management on all systems and applications on a regular and ongoing basis. New methods are developed, reviewed, and deployed to production via pull request and internal review. New risk management practices are documented and shared via staff presentations on lessons learned and best practices.

Contingency Planning

The Uxpressia operations team includes service continuity and threat remediation among its top priorities. Uxpressia keeps a contingency plan in case of unforeseen events, including risk management, disaster recovery, and customer communication sub-plans that are tested and updated on an ongoing basis and thoroughly reviewed for gaps and changes at least annually.

Disclosure Policy

Uxpressia follows the incident handling and response process recommended by SANS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events. Uxpressia notifies customers of any data breaches as soon as possible via email and phone call, followed by multiple periodic updates throughout each day addressing progress and impact.