Security Questionnaire

Security QuestionnaireSOC 2 Style Answers

Comprehensive answers to security and compliance questions for enterprise vendor assessments, procurement reviews, and security evaluations

Security Questionnaire

Security Questionnaire Answers

Comprehensive answers to common security and compliance questions for enterprise customers and vendor assessments

Security Controls

What security certifications does UptimeMatrix maintain?

UptimeMatrix does not currently maintain independent certifications such as SOC 2 Type II or ISO 27001/9001. Security controls are designed to align with those frameworks for customer diligence. The platform implements secure-by-design practices, encryption, access controls, and monitoring; we provide documentation for vendor assessments.

How is data encrypted in transit and at rest?

All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 encryption. Encryption keys are managed using industry-standard key management systems and are never stored in plain text. All database backups are also encrypted.

What access controls and authentication methods are supported?

UptimeMatrix supports multiple authentication methods including email/password, multi-factor authentication (MFA), and single sign-on (SSO) via SAML 2.0 for enterprise customers. Access controls include role-based permissions, organization-level access management, IP allowlisting, and comprehensive audit logging of all access and actions.

How are security vulnerabilities managed?

We conduct regular vulnerability assessments, security scanning, and penetration testing. Critical vulnerabilities are patched immediately, and all security updates are tested before deployment. We maintain a vulnerability disclosure program and respond promptly to security reports.

Data Protection

What data protection measures are in place?

We implement comprehensive data protection measures including encryption at rest and in transit, secure data storage, access controls, data classification, data retention policies, and secure data deletion procedures. All data processing follows privacy-by-design principles.

How is customer data isolated and protected?

Customer data is logically isolated using multi-tenant architecture with strict access controls. Each customer's monitoring data is segregated and accessible only through authenticated and authorized access. We implement network segmentation and database-level isolation to ensure data protection.

What data retention and deletion policies are in place?

We maintain data retention policies aligned with regulatory requirements. Customer data is retained for the duration of the service agreement and deleted according to our data retention schedule. Customers can request data deletion at any time, and we honor deletion requests within 30 days.

How is data backup and disaster recovery handled?

We maintain encrypted backups of all critical data with automated backup procedures. Backups are stored in geographically distributed locations. We have documented disaster recovery procedures and conduct regular disaster recovery testing. Recovery Time Objective (RTO) is 4 hours, and Recovery Point Objective (RPO) is 1 hour.

Access Management

What identity and access management controls are implemented?

We implement role-based access control (RBAC) with least privilege principles. All user access is authenticated and authorized. We support MFA for all accounts and SSO for enterprise customers. Access reviews are conducted regularly, and inactive accounts are automatically disabled.

How are privileged access and administrative accounts managed?

Privileged access is restricted to authorized personnel only and requires additional authentication. Administrative accounts are monitored and logged. We implement separation of duties and require approval for privileged access changes. All administrative actions are logged and audited.

What employee security training and background checks are conducted?

All employees undergo security awareness training upon hire and annually thereafter. We conduct background checks for all employees in accordance with applicable laws. Employees with access to customer data receive additional security training and sign confidentiality agreements.

How is access terminated when employees leave?

Access termination procedures are executed immediately upon employee departure. All system access, including cloud services, databases, and applications, is revoked. We conduct access reviews to ensure no orphaned accounts remain. Exit interviews include security reminders about confidentiality obligations.

Monitoring & Logging

What security monitoring and logging capabilities are in place?

We implement 24/7 security monitoring with automated threat detection. All system events, access attempts, and administrative actions are logged. Logs are retained for at least 90 days and are protected from tampering. We use Security Information and Event Management (SIEM) tools for log analysis.

How are security incidents detected and responded to?

We have automated security monitoring that detects anomalies and potential security incidents. Our Security Operations Center (SOC) responds to incidents 24/7. We maintain an incident response plan and conduct regular incident response drills. Critical incidents are escalated immediately to senior management.

What audit logging capabilities are available?

Comprehensive audit logs capture all user actions, system changes, data access, and administrative activities. Logs include timestamps, user identifiers, actions performed, and results. Enterprise customers can access audit logs through the platform API. Logs are tamper-evident and retained according to our retention policy.

How are security events and alerts managed?

Security events are automatically detected and categorized by severity. High-severity events trigger immediate alerts to our security team. We maintain alerting thresholds and tune them regularly to reduce false positives. Security events are tracked through resolution and documented in incident reports.

Network Security

What network security controls are implemented?

We implement multi-layer firewall protection, network segmentation, DDoS mitigation, and intrusion detection systems. All network traffic is monitored and logged. We use secure network protocols and maintain network security policies. Regular network security assessments are conducted.

How is DDoS protection handled?

We use advanced DDoS mitigation services with automatic traffic filtering. Our infrastructure is designed to handle volumetric attacks and maintain service availability. We maintain DDoS response procedures and conduct regular DDoS testing. Network capacity is scaled to handle attack traffic.

What network segmentation and isolation measures are in place?

We implement network segmentation to isolate production, staging, and development environments. Customer data networks are isolated from public-facing networks. We use virtual private networks (VPNs) for remote access and implement network access controls.

How are network changes managed and controlled?

All network changes require approval and are documented. Network changes are tested in non-production environments before deployment. We maintain network change logs and conduct regular network configuration reviews. Emergency network changes are documented and reviewed post-implementation.

Compliance & Audits

What compliance standards does UptimeMatrix align with?

UptimeMatrix maps controls to themes common in SOC 2 Type II, ISO 9001/27001, GDPR, CCPA, and HIPAA customer programs. We are not independently certified under those frameworks unless separately published. We maintain security and privacy documentation and perform regular internal assessments.

What third-party security audits are conducted?

We conduct regular third-party security audits and penetration testing. Security audits are performed annually by independent security firms. Audit reports are available to enterprise customers upon request. We address audit findings promptly and track remediation.

What compliance documentation is available?

Enterprise customers can request security summaries, control descriptions, data processing agreements (DPAs), and completed security questionnaires. We provide materials suitable for vendor diligence—not a SOC 2 report unless one is formally issued. Documentation requests are typically fulfilled within 3-5 business days.

How are compliance requirements maintained over time?

We maintain a compliance program with regular compliance assessments and gap analyses. Compliance controls are reviewed and updated regularly. We track regulatory changes and update our compliance posture accordingly. Compliance training is provided to all relevant personnel.

Request Full Security Questionnaire

Enterprise customers can request a complete security questionnaire document covering all security, compliance, and operational controls. The questionnaire is available in standard formats including SOC 2, ISO 27001, and custom formats.

Comprehensive security controls documentation
Standard questionnaire formats (SOC 2, ISO 27001)
Custom questionnaire formats available
Typically delivered within 3-5 business days