UplyticsUplyticsRequest access

Security

End to end. Quietly serious.

Your studio holds contracts, BIN numbers, payment details and unreleased creative. We treat all of it like the legally binding records it is. Encryption in transit and at rest. Tenant isolation at the database layer. Zero AI training on your data. Full export anytime.

Tenant isolation at the database layer

Every query is scoped to your studio at the SQL layer, not just in the UI. A bug in a route handler cannot leak another studio’s data because the query never asked for it.

Encrypted in transit and at rest

TLS 1.3 on every public surface with HSTS. Database, file storage and backups are encrypted at rest with provider-managed keys.

Your data stays your data

We never train AI models on it. We never sell it. Export to CSV plus a JSON dump anytime. After cancellation, production data is purged within 30 days.

Identity

Sign in with the accounts you already trust.

Staff sign in with Google. Sessions are short-lived JWTs in HttpOnly cookies. We never see or store passwords. Roles (owner, admin, manager, creative, finance, sales) gate every page server-side.

  • Google OAuth for staff. Microsoft and Apple on the roadmap.
  • Magic-link sign in for client portal users (no password).
  • Per-role permissions enforced before the database read.
  • Super-admin actions audit-logged to a separate table.

Data isolation

One tenant cannot see another. Ever.

A per-studio scope wraps every database call. Files on object storage are namespaced by studio id and served only via short-lived signed URLs. We test this invariant on every commit.

  • Row-level scope enforced inside the query helper, not in route code.
  • File keys prefixed by studio id, never enumerable.
  • Signed URLs expire in 60 seconds for downloads.
  • Cross-tenant test suite blocks merges that would leak.

Tax record integrity

Issued documents are immutable.

Invoices, Mushak forms, money receipts and bills snapshot your BIN, TIN and brand at the moment of issue. Once a Mushak is locked, no path can edit it. Reissues create a new document with its own number.

  • Brand snapshot persisted on every issued document.
  • Mushak 6.3 and 6.6 numbering is gapless per BIN per fiscal year.
  • Locked-row check at the application layer rejects updates.
  • Audit log on every issue, void and re-issue.

Sharing controls

Magic links you can lock down.

Branded share links carry an HMAC-signed token, an optional password gate, an expiry and a max-views counter. Verification rate-limits five attempts per hour per IP. Cookies are scoped to the share path so unlocking one link never unlocks another.

  • Optional password protection per share link.
  • Expiry and max-views per link.
  • Per-link cookie scope so cross-link spillover is impossible.
  • X-Robots-Tag noindex on every share page so links never get indexed.

Email integrity

No surprise sends. No leaks.

Outbound mail uses authenticated SMTP via a verified sending domain (DKIM, SPF, DMARC). Bounces and complaints route to a webhook that suppresses future sends per studio. Every transactional email carries a one-click unsubscribe.

  • DKIM, SPF and DMARC on the sending domain.
  • Per-studio outbound rate limit (default 100 per hour).
  • Per-studio suppression list updated on bounce or complaint.
  • One-click unsubscribe in every email footer.

Edge protections

Hardened by default.

Strict Content-Security-Policy on every response. HSTS for two years with preload. Frame-ancestors set to none so the app cannot be embedded. Rate limits on auth, OTP and share-verify endpoints.

  • Content-Security-Policy with locked connect-src and object-src none.
  • HSTS max-age 63072000 includeSubDomains preload.
  • frame-ancestors none, X-Content-Type-Options nosniff, Permissions-Policy clamped.
  • Per-IP rate limits on /api/auth (30/min) and OTP (3/min/email).

Practices

The boring stuff, on the record.

Hosting region
Singapore (low latency from Bangladesh)
Database
Postgres, encrypted at rest, point-in-time recovery enabled
File storage
Private object storage, signed URLs, never public buckets
Backups
Automatic daily snapshots, 30-day retention
Secrets
Stored in the deploy provider’s secrets manager. Never in source.
Sub-processors
Full list available on request from legal@uplytics.ai
Data export
CSV plus JSON dump on demand, no holdback
Data retention after cancellation
Workspace locked immediately, purged within 30 days
AI training on your data
Never. AI calls are stateless and per-studio.
Logs and metrics
Structured logs with request id; PII redacted before retention
Incident response
Customer notification within 72 hours of confirmed incident

Reporting

Found a vulnerability? Tell us.

Email security@uplytics.ai with a clear reproduction. We acknowledge inside one business day. Please give us 90 days to fix before public disclosure. We will credit researchers in the changelog when invited to. The full machine-readable disclosure policy lives at /.well-known/security.txt.

Last updated 2026-05-10. Operated by FastFlowUp under the Uplytics brand.