Security and GDPR

Upbase is driven by EU/UK GDPR principles and security!

Upbase does not store any user’s personal data including user-generated usernames, full names, email addresses, and etc. A SaaS provider is legally bound via Upbase’s Terms of Service to not upload anyone’s personal data to Upbase. Therefore Upbase is GDPR compliant.

Upbase is two APIs hosted on DigitalOcean and written in Rust: for production and for testing both in New York. No data is shared between these APIs.

All APIs are gated by their own encrypted load balancer with SSL certificates from Let’s Encrypt that change every 90 days. The load balancer sends encrypted traffic to multiple nodes in the same region that only accept connections from the load balancer on the region’s private network.

The nodes send encrypted traffic to a high-availablity managed MongoDB cluster hosted in the same region on the region’s private network that is gated only to these nodes. The nodes run Ubuntu 20.04 LTS with automatic updates enabled.

All nodes are firewalled to only allow traffic from their load balancer and SSH from the deployment computer.

Upbase generates usernames and uses passwordless login via Authy. Upbase’s passwordless TOTP secrets are generated with a cryptographically secure random passphrase with 128 bits of entropy for each user. Eight backup codes are generated upon user creation, can be regenerated at anytime, and are OTPs.

Upbase’s JWTs are RS256 encrypted. Upbase issued JWTs expire in 24 hours and are per API. Upbase issued API keys per API do not expire and can be regenerated at anytime.

A cancelled SaaS provider account will mean the complete deletion of all its tenants and users from Upbase.

Offsite backups of the MongoDB production clusters are deleted every 30 days.

Upbase only stores IP addresses of website visitors using Google Analytics. Upbase only uses cookies for Google Analytics on (and its subdomains).

Any concerns or questions can be emailed to

Last modified: Aug, 8 2021