1. Tenant isolation
Every organization's data is isolated at the database query level via organization_id global scopes — enforced by middleware on every request. This is not a UI filter you can bypass. Cross-tenant data access is architecturally impossible during normal operation.
2. Encryption
- TLS 1.3 for all data in transit
- Encryption at rest on the application database and backups
- API keys are hashed before storage — they are never visible in plaintext after creation
- Sensitive secrets (third-party API keys, OAuth tokens) are encrypted at rest
3. Authentication & access control
- Two-factor authentication (TOTP) available on every account, mandatory for staff
- Google SSO available; Enterprise plans can enforce SSO and 2FA org-wide
- Seven built-in roles with permissions scoped per product
- Global search results are permission-filtered, not just hidden in the UI
4. Infrastructure, backups & monitoring
- Application hosted on enterprise cloud infrastructure
- Automated nightly backups with point-in-time recovery
- Health checks every 15 minutes; SLA checks every 30 minutes for time-sensitive workflows
- Queue and job monitoring via Laravel Horizon
5. Audit logging
Sensitive actions across leads, blog posts, products, staff accounts, and organization settings are recorded in an audit log. Growth includes audit logging, and Enterprise extends retention to 12 months.
6. Payments
Payments are processed by Razorpay on its PCI-compliant infrastructure. We do not store full card numbers.
7. Responsible disclosure
If you believe you have found a security issue, please email [email protected] with a clear description and steps to reproduce. We aim to acknowledge within two business days and work in good faith to address valid reports.
Please give us reasonable time to address the issue before public disclosure, and do not access data that is not yours.
8. Compliance
We design LiftUp to support customers operating under regulations such as the EU GDPR and India's DPDP Act. We can sign appropriate data-processing terms with Enterprise customers on request.
9. Contact
For security questions or to coordinate a disclosure, email [email protected].
Other legal documents: Privacy Policy · Terms of Service · Cookie Policy · Security