RampedUp manages large-scale contact and company data, and data security is a core priority. We maintain formal, documented information security policies and procedures that are:
- Approved by senior management
- Communicated to staff and available for reference
- Assigned clear ownership and responsibilities
- Enforced with disciplinary provisions for non-compliance
- Reviewed periodically for continued relevance
Employees are required to acknowledge our Code of Conduct and confidentiality obligations, and we maintain a vendor risk assessment program and supporting policies (Information Security Policy, Privacy Policy, Code of Conduct, Incident Response Plan, Data Retention, etc.).
Infrastructure, Hosting & Third Parties
- RampedUp is hosted on Amazon Web Services (AWS).
- We use AWS Key Management Service (KMS) and AES-256 encryption for system backups and key management.
- We use AWS Backup with automatic redundancy restoration to protect against disk failures and maintain data integrity.
- We monitor AWS programs regularly (including cost, security, and effectiveness) and maintain a structured third-party / sub-processor review process.
- Sub-processors are listed publicly, https://rampedup.io/sub-processors
Data Protection & Encryption
RampedUp uses a layered approach to data protection:
- Encryption in transit and at rest
- Data in transit is protected using TLS 1.2.
- Data at rest and backups are encrypted using industry-standard strong encryption, including AES-256 via AWS KMS.
- Cryptographic erasure
- When an account expires or is closed, associated data is deleted using cryptographic erasure to ensure it is no longer recoverable.
- Secure deletion & retention
- Admin users have permissions to delete data from our service.
- Data provided for specific client relationships is securely deleted or returned at the end of the term using cryptographic erasure.
We also protect sensitive information (e.g., login data) with appropriate access controls, encryption, and segregation of duties.
Password Policy
RampedUp’s Password Policy applies to anyone with access to company systems and data. It requires strong passwords (at least 12 characters with a mix of upper/lowercase, numbers, and special characters), regular password changes every 90 days, and prohibits reuse of the last 5 passwords.
- Passwords must never be stored in plain text, emailed, shared, or written down, and must be kept confidential at all times.
- After 10 failed login attempts to defend against brute-force attacks. Password resets and account recovery must follow secure, verified procedures.
The policy also requires regular security awareness training, ongoing monitoring of compliance by IT, and notes that non-compliance can lead to loss of access, disciplinary action, or legal consequences. The policy is reviewed periodically to keep up with changing technology and threats.
Retention & Deletion
We apply a defined retention policy and do not retain data longer than necessary.
- Certain datasets are not republished if they have not been refreshed within a defined period (e.g.15 months).
- RampedUp practices Data minimization, or the principle of collecting, processing, and storing only the minimum amount of personal data that is necessary for a specific, defined purpose.
- At the end of a contract or account lifecycle, data is deleted via cryptographic erasure as described above.
We do not source data from sites that are targeted to minors or obviously soliciting minors.
Monitoring, Logging & Incident Response
We maintain a formal Incident Response Plan, covering preparation, identification, containment, investigation, eradication, recovery, follow-up, and monitoring.
Key practices include:
- Use of AWS services (e.g., CloudTrail, VPC Flow Logs) for logging and monitoring key systems
- Retention of monitoring logs for approximately 30–90 days, with periodic review
- Ability to quickly isolate affected systems (e.g., via security group changes)
- Secure wiping and Key Management Service (KMS)–based cryptographic controls where applicable
Breach notification & History
- In the event of a personal data breach involving client data, we will notify affected customers within 72 hours of becoming aware, consistent with GDPR expectations.
- Impacted Persons will be notified within 14 business days.
- RampedUp reported no personal data breaches in the prior three years.
Business Continuity & Disaster Recovery
RampedUp maintains a Business Continuity Management System (BCMS):
- Aligned with ISO 22301 (Business Continuity Management) – aligned but not formally certified.
- Documented Business Continuity Plans (BCP) and Disaster Recovery (DR) procedures are in place and tested periodically.
- AWS documents a series of controls for their hosting infrastructure. Critical data is backed up and available offsite via AWS Backup, with encrypted and redundant storage. Access to hosting facilities is limited, logged, and monitored.
We set and monitor clear recovery objectives and regularly test our DR and communication plans (test reports are maintained internally).
Governance, Training & Compliance
- Key staff receive security and privacy awareness training, including responsibilities within our BCMS and incident response processes.
- We comply with applicable local privacy laws inside and outside the United States, including EU/UK data protection laws and US state privacy laws such as CCPA/CPRA.
- We maintain a Data Protection Officer (DPO) function and a 23-point vendor risk assessment for key suppliers and sub-processors.
Access Control & Authorized Users
- With the exception of information published for public consumption, only formally authorized users may access RampedUp systems, each with a unique user identity.
- By design, RampedUp employees do not have access to customer passwords.
- Role-based access control: System Administration, Instance Administration, and User, each with scoped access to customer, partner, or user data to support least-privilege access.
- Directors responsible for information systems must ensure systems are protected from unauthorized access, secured against theft and damage, used for intended purposes, and that third parties entrusted with data understand and uphold security responsibilities.