Skip to content

Security

Last updated: 5/13/2026

UpdatesPad holds the data your countertop shop runs on — your customers, your quotes, your jobs, your files. We take that seriously. This page explains how we protect it.

If you have a security question or want to report a vulnerability, email security@updatespad.com.

How we think about security

We're an early-stage company building software for an industry that hasn't had great software. That gives us a clean slate — and a responsibility to do this right from the start. Security isn't a checklist we'll tackle later; it's part of how the product is built.

We're not going to claim certifications we don't have. We don't currently hold SOC 2 or ISO 27001 — those are on the roadmap as the company grows. What we have today is a set of practices that align with those standards.

Where your data lives

UpdatesPad is built on Amazon Web Services (AWS), in the United States. AWS is one of the most secure cloud platforms in the world, and it handles the physical infrastructure — data centers, hardware, network — that UpdatesPad runs on.

Your data is stored in AWS services like S3 (files), DynamoDB (records), and similar. It never leaves AWS infrastructure unless you explicitly send it somewhere (for example, when you push an invoice to QuickBooks).

We don't currently store data outside the United States. If we ever change that, we'll let you know.

How your data is protected

In transit

Every connection between your browser and UpdatesPad — and between UpdatesPad and any third-party service — is encrypted with TLS 1.2 or higher. That means anyone intercepting traffic between you and our servers gets gibberish, not your data.

At rest

Data stored in UpdatesPad is encrypted using AES-256 encryption, the same standard used by banks and the U.S. government for classified information.

Passwords

We never store passwords in plain text. Passwords are hashed using industry-standard algorithms with per-user salts. Even our team can't see your password.

Payment data

We don't store full credit card numbers. Payment processing runs through Stripe, which is PCI DSS Level 1 certified — the highest level of payment security compliance.

Sensitive credentials

When you connect a third-party service like QuickBooks, the access tokens are encrypted with AES-GCM before being stored. We never see your QuickBooks password.

Who can access your data

Access to customer data is limited to the people at UpdatesPad who need it to do their jobs — primarily for technical support and operations.

  • All access requires authentication and is logged
  • We use the principle of least privilege — people get the minimum access they need
  • Access is reviewed regularly and revoked when no longer needed
  • Production data is never used in development or testing environments

We will never access your data for any reason other than supporting your account, fixing technical issues, or responding to legal obligations. We won't browse your customer information, read your messages, or look at your files out of curiosity.

What we don't do with your data

This bears repeating from our Privacy Policy:

  • We don't sell your data.
  • We don't share your data with other UpdatesPad customers.
  • We don't use your data to train AI or machine learning models.
  • We don't share your data with anyone outside of running the service.

Backups and recovery

Your data is backed up automatically and continuously. We use AWS's built-in backup and replication features so that even in the event of a major incident, we can recover. We've designed the system to be resilient — most failures are invisible to you. We don't currently offer point-in-time data recovery as a customer-facing feature, but if you ever lose data due to user error or a system issue, contact us at support@updatespad.com and we'll do what we can to help.

Account security on your end

Most security incidents in SaaS happen because someone's password got compromised — not because the platform got hacked. A few simple things you can do:

  • Use a strong, unique password for your UpdatesPad account
  • Don't share your login credentials with team members — give each person their own account (it's free; we don't charge per user)
  • If a team member leaves, deactivate their account
  • If you suspect something is wrong with your account, email security@updatespad.com right away

We'll be adding two-factor authentication and single sign-on options as we grow.

How the Client Portal stays secure

When your customer accesses their project through the Client Portal:

  • They sign in with a magic link sent to the email you specified — no password required, no app to install
  • The link is single-use and time-limited
  • They can only see the project you've shared with them — not your other projects, not other customers' projects, and never your account-level settings or data

If you ever need to revoke a customer's access to a project, you can do that from inside UpdatesPad.

Vulnerability reporting

If you discover a security vulnerability in UpdatesPad, please tell us. We'll take it seriously and respond quickly. Email security@updatespad.com with:

  • A description of the issue
  • Steps to reproduce, if possible
  • Any other relevant details

Please don't publicly disclose the issue until we've had a chance to fix it. We don't currently have a formal bug bounty program, but we genuinely appreciate responsible disclosure and will acknowledge you publicly if you'd like.

What happens if something goes wrong

We hope it never does. But if there's a security incident that affects your data, here's what we commit to:

  • We'll investigate immediately
  • We'll fix the underlying issue
  • We'll notify affected customers as soon as we have a clear picture of what happened
  • We'll be transparent about what occurred, what data was affected, and what we're doing about it

This is the kind of moment a company's reputation is made or broken on. We'd rather get it right than try to hide.

What's on the roadmap

A few things we don't have today but are working toward:

  • SOC 2 Type II certification — the standard B2B SaaS audit for security, availability, and confidentiality
  • Two-factor authentication for UP accounts
  • Single sign-on (SSO) for shops that use it
  • Custom data retention policies for businesses that need them
  • Audit logs that customers can access directly

These aren't promises with specific timelines — they're directions. If any of them matter to your evaluation, ask us.

Contact

Security questions, concerns, or vulnerability reports:

security@updatespad.com

UpdatesPad LLC

Reston, VA