PlatformSolutionsSecurityPricingResourcesLog inBook a demo
Security & compliance

Security isn't a feature.
It's the foundation.

UpShyft is built for the reality that you handle your clients' most sensitive financial data. Here's how we protect it — in plain terms.

Encryption

Your sensitive data is encrypted — and never sits in the clear.

The fields that matter — like parsed credit data — are encrypted before they're stored, and isolated per brokerage. Even in a worst case, there's nothing usable to read.

Encrypted at the field level

Sensitive data is protected the moment it's stored — not left as plaintext.

Isolated per brokerage

Your clients' data is walled off from every other firm on the platform.

Minimal by design

We keep only what the job needs, and retain nothing we don't.

Encrypted at rest
Credit dataIntegration tokensSensitive fields
Protected before it's stored, and isolated per brokerage.

Every brokerage's data is isolated.

One brokerage can never see another's clients, reports, or configuration — isolation is enforced at the core of the system, not just the interface.

We keep the minimum, and retain even less.

We collect the least data required. Raw credit-report PDFs aren't retained after parsing — the encrypted parse is the record. Client erasure removes the data; brokerage teardown crypto-shreds the keys.

Access is earned, not open.

Access is invite-only — there's no open signup. Staff roles and granular permissions gate who can see and do what. Multi-factor authentication for staff is on the security roadmap.

Least data to any vendor.

API lending and data vendors receive only what their specific service needs — that boundary is disclosed, not hidden. We never sell data to brokers.

The argument

SSNs and credit logins don't belong in a CRM.

A common industry pattern stores full SSNs, ID documents, and even clients' credit-monitoring passwords as plaintext fields in a CRM — readable by every seat and integration. UpShyft is the opposite.

The typical CRM pattern

Full SSNs stored as plaintext fields
Credit-monitoring passwords in a note
Readable by every seat and integration
One breach exposes everything

UpShyft

Sensitive fields encrypted at the field level
Per-brokerage keys, held outside the database
Your CRM receives only scores, statuses, tags, links
A leaked database reveals only ciphertext
Compliance by design

Regulation is a design input, not a bolt-on.

We treat FCRA (credit data + permissible purpose), consent capture, and privacy regulation as inputs from day one. Consent is captured at account creation; sensitive-data handling is documented internally.

On certifications

SOC 2 Type II is on our roadmap and pursued when customers require it. We don't claim certifications we don't hold — that honesty is a trust signal, not a gap.

FCRA-awareConsent at signupSOC 2 — roadmap
Security FAQ

Straight answers.

Do you store raw credit reports? +

No. Raw credit-report PDFs aren't retained after parsing — the encrypted parse is the record. That parsed data is itself field-level encrypted.

Is my clients' data shared? +

Only with the specific vendor performing a requested service (e.g. an API lender or data provider), and only the data that service needs. That boundary is disclosed, not hidden. We never sell data.

Is this end-to-end encrypted? +

No — and honestly, E2EE would be a category mismatch. The platform has to read client data to evaluate readiness and advise. Instead we use strong at-rest field-level encryption plus tight access control, which is the right model for this job.

What happens to data when a client is deleted? +

Client erasure removes the data. When a whole brokerage is torn down, we crypto-shred the keys — with the key gone, the encrypted data is unrecoverable.

Are you SOC 2 certified? +

Not yet. SOC 2 Type II is on our roadmap and pursued when a customer requires it. We message architecture we actually run — encryption, isolation, retention — rather than badges we don't hold.

Due diligence welcome

Have a security questionnaire? Talk to us.

We'll walk your team through the architecture and answer every question in detail.