Upstash has a set of features to help you secure your data. We will list them and at the end of the section we will list the best practises to improve security of database.
TLS is an optional feature which you can enable while creating your database. Once TLS is enabled, the data transfer between the client and database is encrypted. We strongly recommend enabling TLS for production databases.
With Redis ACL, you can improve security by restricting a user's access to commands and keys, so that untrusted clients have no access and trusted clients have just the minimum required access level to the database. Moreover it improves operational safety, so that clients or users accessing Redis are not allowed to damage the data or the configuration due to errors or mistakes. Check Redis ACL documentation. If you are using the REST API, you can still benefit from ACLs as explained here
When you create a database, a secure password is generated. Upstash keeps the password encrypted. Use environment variables or your provider's secret management system (e.g. AWS Secrets Manager, Vercel Secrets) to keep them. Do not use them hardcoded in your code. If your password is leaked, reset the password using Upstash console.
Encryption at Rest
Encryption at REST encrypts the block storage where your data is persisted and stored. It is enabled by default for Enterprise databases.
Application Level Encryption
Client side encryption can be used to encrypt data through application lifecycle. Client-side encryption is used to help protect data in use. This comes with some limitations. Operations that must operate on the data, such as increments, comparisons, and searches will not function properly. You can write client-side encryption logic directly in your own application or use functions built into clients such as the Java Lettuce cipher codec. We have plans to support encryption in our SDKs.
We can restrict the access to your database to a set of IP addresses which will have access to your database. This is quite a strong way to secure your database, but it has some limitations. For example you can not know the IP addresses in serverless platforms such AWS Lambda and Vercel functions. This feature is only supported for Enterprise databases.
TLS Mutual Authentication
mTLS ensures two-way authentication where both client and server authenticate each other at the same time in the authentication protocol. No client can assess the database without the certificate. The user downloads uses the certificate for their client. This feature is only supported for Enterprise databases.
VPC Peering enables you to connect to Upstash from your own VPC using private IP. Database will not be accessible from the public network. Database and your application can run in the same subnet which also minimizes data transfer costs. VPC Peering is only available for Enterprise databases.
AWS Private link provides private connectivity between Upstash Database and your Redis client inside AWS infrastructure. Private link is only available for Enterprise databases.
Upstash Legal & Security Documents
- Upstash Terms of Service
- Upstash Data Processing Agreement
- Upstash Technical and Organizational Security Measures
- Upstash Subcontractors
Is Upstash SOC2 Compliant?
Upstash applies the controls listed under SOC2 compliance and in the process of SOC2 certification. Contact us (email@example.com) to learn about the expected certification date.
Is Upstash ISO-27001 Compliant?
We are in process of getting this certification. Contact us (firstname.lastname@example.org) to learn about the expected date.
Is Upstash GDPR Compliant?
Is Upstash HIPAA Compliant?
Upstash is currently not HIPAA compliant. Contact us (email@example.com) if HIPAA is important for you and we can share more details.
Is Upstash PCI Compliant?
Upstash does not store personal credit card information. We use Stripe for payment processing. Stripe is a certified PCI Service Provider Level 1, which is the highest level of certification in the payments industry.
Does Upstash conduct vulnerability scanning and penetration tests?
Yes, we use third party tools and work with pen testers. We share the results with Enterprise customers. Contact us (firstname.lastname@example.org) for more information.
Does Upstash take backups?
Yes, we take regular snapshots of the data cluster to the AWS S3 platform.
Does Upstash encrypt data?
Customers can enable TLS while creating database/cluster, and we recommend it for production databases/clusters. Also we encrypt data at rest at request of customers.