Security and Data Policy

Last Updated: January 12, 2025

Introduction Upcraft is committed to protecting the security and privacy of our customers’ data. This Security and Data Policy describes how we handle, store, and protect data on our platform. Aimed at small to mid-sized business (SMB) users, this policy addresses common security and privacy concerns and outlines our practices. We follow industry best practices and align with recognized standards (such as SOC 2 and GDPR principles) to safeguard your information, while avoiding overpromising or making guarantees we cannot uphold. Note: This policy is for informational purposes and does not modify any agreements or obligations in our Terms of Service.

Data Collection Upcraft only collects data that is necessary to provide and improve our services. The types of data we handle include:

Personal Information: Account details and contact information you provide, such as names, business emails, phone numbers, and job titles of you or your end-users. This may also include any personal data contained in your CRM records (e.g. customer names or contact info).

Proprietary Business Data: Content and records you submit to the platform, including CRM data, sales leads, chat or email conversation histories, support tickets, and other business documents. This data often contains confidential business information unique to your company.

AI-Generated Data: Outputs produced by Upcraft's algorithms and AI features based on your inputs. For example, conversation summaries, sales email drafts, or analytic insights generated from your data.

Usage Data: Platform usage metrics and technical logs collected when you interact with Upcraft (e.g. IP address, browser type, pages or features used, and timestamps). We collect this to monitor system performance, maintain security, and improve user experience.

We do not collect sensitive personal data like payment card numbers or government IDs through our platform, except through our payment processor or if you explicitly provide it in uploaded content. We encourage customers to avoid uploading any unnecessary sensitive personal information.Use of Data Upcraft uses the collected data only for legitimate business purposes in operating and improving our platform. Key uses of data include:

Providing and Personalizing the Service: We use your proprietary and personal data to deliver the platform’s functionality – for example, analyzing your CRM records and conversation history to generate AI-driven sales insights or automated messages. The data you input enables our AI features to craft personalized outputs relevant to your business needs.

AI Processing: When you use Upcraft’s AI capabilities, your input data (such as a conversation transcript or query) is securely transmitted to our AI engine (which may involve calling third-party AI APIs) to generate the requested output. This processing is automated and your data is only used to produce results for you, not to train the AI beyond your use​

Communication and Support: We may use your contact information to send you service-related communications, such as account notifications, security alerts, and updates about new features. If you reach out for support, we will access and use relevant data to assist you. We may also send promotional or educational content, but you can opt out of marketing communications at any time.

Improvement and Analytics: We analyze usage data and aggregate trends to improve Upcraft’s performance, reliability, and features. For example, we might track which features are most used by customers to inform our product development. Any analytics or machine learning training we perform on usage patterns is done on anonymized or aggregated datanot on your identifiable business content. We do not use the personal or proprietary data you trust us with to build generalized AI models or share it with other customers.

Legal Compliance and Protection: We may process and retain data as required to comply with applicable laws, regulations, and legal processes. For instance, we will retain certain records if needed to meet financial reporting obligations or respond to lawful requests by authorities. Additionally, if necessary, we will use data to investigate and prevent security issues, fraud, or abuse on our platform.

No Selling of Data: Upcraft will never sell or rent your personal or business data to third parties for marketing or any other purpose. We only share data with third parties as described in this policy (see Third-Party Providers below) or in our Privacy Policy, and always with appropriate safeguards. Your data is used strictly to serve you and improve our services, in line with the principle of purpose limitation.

Data Ownership: You retain ownership and control over the data you store in Upcraft, as well as any content generated for you by our AI features. Upcraft does not claim any ownership rights over your proprietary business data or AI-generated outputs. Our role is to process and host this data on your behalf. You can request export or deletion of your data at any time (see Data Retention and Deletion below).

Third-Party Providers Upcraft leverages trusted third-party service providers to deliver a reliable, scalable platform. We select our vendors carefully and require them to maintain high standards of security and confidentiality. The main third-party providers we use are:

Infrastructure Hosting (Linode/Akamai): Our application and databases are hosted on Linode (part of Akamai), a reputable cloud infrastructure provider. Your data is stored on secure servers in Linode’s data centers, which employ robust physical and environmental security controls to protect against unauthorized access and outages. Linode’s facilities feature industry-leading safeguards (such as 24/7 monitoring, access controls, backup power, and fire suppression) to ensure a resilient infrastructure for your data. All data stored with Linode is subject to strong security measures, including encryption at rest (see Security Measures below). We have agreements in place with our hosting provider to ensure they only process our data as needed to run Upcraft, and to uphold confidentiality and security of your information.

AI Service Provider (OpenAI): Upcraft’s intelligent features (such as natural language processing and content generation) are powered in part by OpenAI’s API. When you input data to use an AI feature (for example, asking the AI to draft a response based on a chat log), our system sends the necessary data securely to OpenAI’s servers, and an AI-generated result is returned. Data sent to OpenAI via the API is not used to train OpenAI’s models or improve their services by default​

Other Service Providers:
Upcraft may utilize additional third-party services for supplemental functions such as email delivery, user analytics, or customer support ticketing. Examples could include email/SMS providers for sending verification codes or notifications, or cloud analytics platforms to track performance. Any such providers are vetted for strong security practices and are only given the minimum data necessary to perform their function. For instance, if we use an email service to send you a login alert, that service would only receive your email address and content of the alert, not your entire dataset. All third parties act under contractual obligations to protect your information and are prohibited from using it for any purpose other than providing services to Upcraft.

Upcraft remains responsible for safeguarding your data even when it is processed by third-party vendors. We maintain oversight of our service providers and review their security and privacy practices periodically. If a provider does not meet our standards or those expected by our customers, we will take appropriate action, which may include renegotiating terms or transitioning to an alternative solution. Our goal is to ensure that any third-party integration upholds the same level of trust and care that you expect from Upcraft AI itself.

Security Measures We understand that as a business customer, the security of your data is of paramount importance. Upcraft implements a multi-layered security program designed to protect your data against unauthorized access, disclosure, or loss. Our security measures include administrative, technical, and physical controls aligned with industry best practices. Key security measures in place are:

Encryption in Transit: All data transmitted between your device and Upcraft is encrypted using HTTPS with TLS (Transport Layer Security). This ensures that any personal or proprietary information (such as login credentials, uploaded records, or AI query results) is protected from eavesdropping while in transit over the internet. We support modern encryption protocols (TLS 1.2 or higher) and strong cipher suites to secure network connections.

Encryption at Rest: Data stored on our servers (including databases, file storage, and backups) is encrypted at rest using industry-standard encryption algorithms (for example, AES-256 encryption). This means that even if physical storage media or backup files were accessed without authorization, the data would be unreadable without the proper decryption keys. Encryption at rest applies to both primary data storage and any off-site backups managed by our infrastructure provider.

Access Controls and Authentication: Upcraft employs strict access controls to ensure only authorized access to systems and data. Customer data in the platform is logically segregated so that each user or organization can only access their own information. Within our company, employees and contractors can access customer data strictly on a need-to-know basis and only for legitimate work purposes (such as debugging an issue at your request). We enforce the principle of least privilege, granting the minimum level of access required for each role. All access to sensitive systems requires authentication (strong passwords and, for administrative access, multi-factor authentication). We promptly revoke access when team members change roles or depart the company. Additionally, administrative activities on production systems are logged and audited.

Secure Development Practices: Security is integrated into our software development lifecycle. Our engineering team follows secure coding guidelines and industry best practices (such as OWASP Top 10) to prevent common vulnerabilities. Code changes are peer-reviewed and tested before deployment to catch security issues early. We regularly update our software dependencies and apply security patches to our servers and libraries to address newly discovered vulnerabilities in a timely manner.

Network and Infrastructure Security: Upcraft’s cloud infrastructure is protected by multiple layers of network security. We utilize firewall rules and security groups to restrict access to systems to only necessary ports and services. Our hosting environment provided by Linode/Akamai includes DDoS protection and traffic monitoring to detect and mitigate malicious attacks​.

Monitoring and Incident Detection: We continuously monitor our platform and infrastructure for unusual activity or potential threats. This includes automated alerts for suspicious login attempts, anomaly detection in application behavior, and system health monitoring. We maintain detailed logs of access and actions within the system, which are periodically reviewed. If an incident or data breach is suspected, our incident response procedures are immediately activated to investigate and contain any issues.

Regular Backups and Recovery: To ensure business continuity and protect against data loss, Upcraft performs regular backups of critical data. Backup snapshots are encrypted and stored in secure, geographically separate locations (within our cloud provider’s infrastructure). We periodically test our backups and restoration process to verify data can be recovered reliably. In the event of a disaster or major outage, we have a disaster recovery plan so that service can be restored with minimal data loss and downtime.

Employee Training and Policies: All Upcraft team members undergo training on our security and data handling policies. We educate our employees about their responsibilities in protecting customer data, recognizing social engineering attempts, and practicing good cyber hygiene. Team members with access to sensitive data are required to follow strict guidelines, including signing confidentiality agreements. We foster a culture of security awareness and ensure that security considerations guide our decisions at every level of the organization.

Independent Audits and Testing: As part of our commitment to security, we routinely assess our systems and practices. We conduct internal security reviews and may engage independent security experts to perform penetration tests or vulnerability assessments on our application and infrastructure. These third-party evaluations help us identify and remediate any weaknesses. While Upcraft is not yet formally certified under frameworks like SOC 2 or ISO 27001, we continuously evaluate our controls against these standards and address any gaps. We are dedicated to continuously improving our security posture and will pursue relevant certifications or attestations as our company grows.

Note: Despite our robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. Therefore, we cannot guarantee absolute security of data. However, we strive to use commercially reasonable means and best-in-class practices to protect your personal and business information. In the unlikely event of a security breach that affects your data, Upcraft will promptly notify you in accordance with applicable laws and will provide details of the incident and steps taken in response. Our incident response plan is designed to contain and mitigate breaches swiftly and learn from any incidents to further strengthen our safeguards.

User Responsibilities While Upcraft works hard to secure the platform, our customers also play a vital role in protecting their data. We ask that you, as a user or administrator of an Upcraft AI account, take the following responsibilities seriously:

Account Security: Maintain the confidentiality of your account credentials. Use a strong, unique password for your Upcraft account and update it periodically. If two-factor authentication (2FA) or single sign-on (SSO) is available, we strongly recommend enabling it for an extra layer of security. Never share your passwords or API keys with unauthorized persons, and be cautious of phishing attempts that might compromise your login information.

Authorized Use: Ensure that anyone you permit to use Upcraft (such as your team members or contractors) is authorized to view the data you store on the platform. Use the platform’s access controls (user roles, permissions settings) to limit data access appropriately within your organization. If you integrate Upcraft AI with your other systems (e.g., CRM or email), manage and protect any API tokens or integration keys just as carefully as your account login.

Data Legality and Consent: Only upload or process data through Upcraft that you have the legal right to use. If your data includes personal information about your customers or third parties, you are responsible for obtaining any necessary consents or providing any required notices to those individuals as per applicable privacy laws. Upcraft operates as your data processor, but you as the data controller must ensure that collecting and using the personal data in our platform is lawful. Do not use our service to store or share illegal content.

Monitoring and Response: Stay vigilant for any unusual activity on your Upcraft account. If you suspect that your account has been compromised or notice unauthorized access (for example, unrecognized devices or actions), notify us immediately at our security contact (see Contact Information below) so we can help secure your account. Similarly, if you believe there’s a vulnerability or bug in our platform that could affect security, please inform us right away. We encourage responsible disclosure and will not penalize users for reporting security issues in good faith.

Compliance with Policies: Adhere to Upcraft’s Terms of Service and any other applicable policies when using the platform. These policies are designed to maintain a secure and fair environment for all users. Violations of our terms—such as attempting to hack the service, abuse of the API, or misuse of other users’ data—can result in suspension or termination of access. By using Upcraft AI, you agree to use it in a manner that does not jeopardize the security of our systems or the data of any other user.

By following these responsibilities and best practices, you help us maintain a secure ecosystem. Security is a shared responsibility, and we appreciate your diligence in keeping your account and data safe. If you ever have questions about how to secure your use of Upcraft, please reach out to us for guidance.

Legal and Regulatory Considerations Upcraft is mindful of the legal and regulatory requirements that apply to security and data privacy. We designed our policies and practices to align with major data protection laws and industry standards, but we do so in a way that is appropriate for a growing company (SMB) and without implying certifications we haven’t obtained. Key considerations include:

SOC 2 and Industry Standards: We strive to implement controls and processes consistent with the AICPA’s SOC 2 Trust Services Criteria (covering security, availability, processing integrity, confidentiality, and privacy). While Upcraft is not yet SOC 2 Type II certified, our internal security program is heavily informed by these standards. For example, we emphasize continuous monitoring, rigorous change management, and risk assessment in line with SOC 2 guidance. As we mature, we may pursue a formal SOC 2 audit to provide independent validation of our controls. In the meantime, business customers can be confident that we are following SOC 2 principles in spirit, even if we do not provide a SOC 2 report at this stage.

GDPR (General Data Protection Regulation): For customers operating in the European Economic Area (EEA) or handling personal data of EU individuals, Upcraft endeavors to support your GDPR compliance. Under GDPR definitions, you are likely the data controller of your customer personal data, and Upcraft acts as a data processor on your behalf. We will only process personal data based on your instructions (as described in this policy and our agreements). We uphold core GDPR principles such as data minimization, purpose limitation, and security of processing. We do not use personal data for purposes other than providing the service to you, and we assist with GDPR requests as needed. If an EU data subject requests access, correction, or deletion of their personal data that is stored in Upcraft, we will assist you in fulfilling that request. We also will enter into a Data Processing Addendum (DPA) with customers upon request, to contractually affirm our GDPR obligations and include Standard Contractual Clauses for data transfers from the EU.

International Data Transfers: Upcraft is based in the United States, and using our service will likely involve transferring and storing your data in the U.S. (and potentially other countries where our providers have infrastructure). When we transfer personal data from the EEA or other regions with data transfer restrictions, we rely on lawful transfer mechanisms (such as EU Standard Contractual Clauses) to ensure an adequate level of protection for the data. We commit to handling all personal data, regardless of origin, in accordance with this policy and applicable laws.

Other Privacy Laws: In addition to GDPR, we also consider other relevant privacy regulations such as the California Consumer Privacy Act (CCPA) and similar laws. For instance, although Upcraft does not sell personal information, we are prepared to honor valid consumer requests (like “Do Not Sell” preferences or data deletion requests) as required by such laws. Our Privacy Policy provides details on how individuals can exercise their rights under various privacy regulations. We continuously monitor the evolving legal landscape to adjust our practices and ensure compliance with new requirements that may arise (for example, new state privacy laws in the U.S. or updates to international frameworks).

Data Retention and Deletion: We retain customer data for as long as needed to provide services to you or as required for legitimate business or legal purposes. When you delete data through the Upcraft interface (such as removing a record or conversation) or request deletion of your account, we will securely erase or anonymize the personal data within a reasonable timeframe, except for any data we are required to keep by law or for mandatory record-keeping. Backup copies of data might persist for a limited period (due to regular backup cycles), but are protected and eventually overwritten in the normal course of operations. We can also accommodate specific data retention requirements or schedules if you need them for compliance reasons – please contact us to discuss any custom retention needs.

Breach Notification: In the unfortunate event of a data breach involving your personal data, Upcraft will follow all laws and regulations regarding breach notification. This means we will promptly inform affected customers and, if required, authorities about any unauthorized access to personal data. Our notification will include information about the nature of the breach, the data impacted, and the actions we are taking to remediate the issue and prevent future occurrences.

Upcraft’s goal is to be transparent and proactive about our legal and regulatory posture. We do not claim formal certifications or compliance badges that we haven’t earned; instead, we focus on meeting the underlying requirements to protect your data. We advise our customers to review our Privacy Policy and Terms of Service for additional legal details regarding data use and limitations of liability. This Security and Data Policy is intended to complement those documents by addressing practical questions about “how” we protect data. If you require further information to satisfy your internal risk or compliance assessments, we are happy to answer your questions or complete security questionnaires to the best of our ability.

Changes to This Policy As our platform evolves and security best practices continue to advance, Upcraft may update this Security and Data Policy from time to time. We will post any changes to this page with a new “Last Updated” date to let you know when revisions occur. For significant changes that materially affect how we handle your data or your rights, we will provide a more prominent notice (such as an email notification or an in-app alert). We encourage our customers to periodically review this policy to stay informed about how we are protecting your information. Continued use of Upcraft after a policy update will constitute acknowledgment of the changes. However, if any changes are so substantial that they require your consent under applicable laws, we will seek that consent.

Contact Information We value your trust and are committed to addressing any questions or concerns you have about security and privacy. If you have inquiries about this policy or our data practices, please contact us:

Email: info@upcraft.ai
Mailing Address: Upcraft AI, 2147 W. Thomas St., Chicago, IL 60622, USA

Security Reporting: If you discover a potential security vulnerability or incident, please email info@upcraft.ai with the relevant details. We request that you do so confidentially and give us the opportunity to investigate and mitigate before making any public disclosure. We take security reports seriously and will respond as promptly as possible.

Upcraft AI is dedicated to being a secure and trustworthy partner for your business. We appreciate the opportunity to serve you and remain committed to protecting your data with care and integrity. Your confidence is important to us, and we will continue to invest in security and data protection as top priorities. Thank you for choosing Upcraft AI.