Security & Data Protection
Your customer data is the backbone of your business. At UppalCRM, protecting it is not an afterthought — it is built into every layer of our platform.
Your Data, Your Property
You own your data. Period.
Everything you store in UppalCRM — contacts, accounts, transactions, leads, notes, communication history — belongs to you. We will never sell, share, or use your data for any purpose other than providing you with CRM services.
- Export anytime. Download your data in CSV format from any module, at any time, at no extra charge.
- No lock-in. If you decide to leave UppalCRM, your data remains available for export during your subscription and for 30 days after cancellation.
- Permanent deletion. 30 days after account cancellation, all your data is permanently and irreversibly deleted from our systems, including backups.
Encryption
All data is encrypted both at rest and in transit using industry-standard protocols.
In transit: All connections between your browser and UppalCRM are encrypted using TLS 1.2 or higher. This ensures that data cannot be intercepted or read while travelling over the internet.
At rest: Your data is stored using AES-256 encryption — the same standard used by banks, governments, and leading CRM platforms. Encryption keys are managed by Microsoft Azure’s Key Management Service and are never accessible to our team.
Backup & Recovery
Data loss — whether from human error, software bugs, or unexpected events — is one of the biggest risks any business faces. UppalCRM protects against this with automated, hands-off backup infrastructure.
Automated daily backups. Your data is backed up continuously without any action required from you.
35-day recovery window. We can restore your data to any point in time within the last 35 days. If something goes wrong today, we can take you back to yesterday, last week, or last month.
Geo-redundant storage. Backup copies are stored in a geographically separate data center. Even in the unlikely event that an entire data center goes offline, your backups remain safe and recoverable.
In-place recovery. Unlike some providers that create an entirely new environment when restoring data, our recovery process restores your data directly — no disruption to your account setup or configuration.
Infrastructure
UppalCRM is hosted on trusted, enterprise-grade cloud infrastructure.
Database: Microsoft Azure Database for PostgreSQL — a fully managed, enterprise-grade database platform with built-in high availability, automated patching, and continuous monitoring.
Application: Hosted on Render, a modern cloud platform with zero-downtime deployments, automatic TLS certificates, and DDoS protection.
Region: Our primary infrastructure is located in the United States (West US). All data is stored and processed within this region.
Tenant Isolation
UppalCRM is a multi-tenant platform, meaning multiple businesses share the same infrastructure. However, your data is completely isolated from every other customer.
Row-Level Security (RLS). Every database query is automatically scoped to your organization at the database level. This is not application-level filtering — it is enforced by PostgreSQL itself, making cross-tenant data access structurally impossible.
What this means for you: Even if there were a bug in our application code, the database would still prevent any other customer from seeing your data. This is the same isolation approach used by leading enterprise SaaS platforms.
Authentication & Access Controls
Secure passwords. All passwords are hashed using bcrypt with per-user salts. We never store passwords in plain text. Even our own team cannot see or retrieve your password.
Role-based access. UppalCRM supports three user roles — Admin, User, and Viewer — each with different levels of access. Admins can manage team members, configure settings, and access all data. Users can manage customer records within their assigned scope. Viewers have read-only access.
Session management. Authentication is handled via secure JWT tokens with automatic expiration. Inactive sessions are terminated to reduce the risk of unauthorized access.
Application Security
Our application is built with security-first development practices.
Input validation. All user inputs are validated and sanitized to prevent SQL injection, cross-site scripting (XSS), and other common attack vectors.
Rate limiting. API requests are rate-limited per user and per IP address to prevent abuse and brute-force attacks.
Security headers. We implement industry-standard HTTP security headers including Content Security Policy, X-Frame-Options, and Strict-Transport-Security.
Suspicious activity detection. Our backend monitors for and logs suspicious request patterns including potential injection attempts and path traversal attacks.
Uptime
We are committed to keeping UppalCRM available when you need it.
99.9% uptime target. Our infrastructure is designed for high availability with redundancy built into every layer.
Zero-downtime deployments. When we release updates, your CRM remains fully operational throughout the process. No maintenance windows, no scheduled outages.
Monitoring. Our systems are monitored around the clock. We are alerted immediately when any service experiences degradation.
Development Practices
Separate environments. We maintain completely separate Development, Staging, and Production environments. Changes are tested in non-production environments before being deployed to production. Development tools and personnel have no access to production data or credentials.
Version control. All code changes go through a structured review and deployment process. Every change is tracked and can be rolled back if needed.
What We Are Working Toward
We believe in being transparent about where we are and where we are headed.
Currently in place: Encryption (AES-256 at rest, TLS in transit), automated backups with 35-day retention, row-level tenant isolation, role-based access controls, secure development practices.
On our roadmap: SOC 2 Type II certification, GDPR compliance tooling (right-to-be-forgotten, consent management), formal incident response plan, third-party penetration testing.
We will update this page as we achieve each milestone.
Questions?
If you have questions about our security practices or need additional information for your organization’s vendor assessment, please contact us at security@uppalcrm.com.