Home/Security & Compliance
● Security

Security at Huup.

Your commerce data is the operating system of your business. We treat it like it's ours — encrypted in transit and at rest, locked down with MFA, backed up daily, hosted on AWS in the EU/UK.

Last updated: 2 June 2026 · Report vulnerabilities to security@huup.com

Transport
TLS 1.3
Modern TLS for every connection. HSTS preloaded.
Data residency
EU / UK
Customer data stored in AWS eu-west-2 (London) and eu-central-1 (Frankfurt).
Authentication
MFA enforced
Time-based OTP required for all workspace owners and admins.
Backups
Daily
Encrypted, off-cluster, 30-day retention with point-in-time recovery.
GDPR
Compliant
DPA available, SCCs for transfers, full data subject rights workflow.
Hosting
AWS
Built on AWS managed services — RDS, S3, ElastiCache, Lambda, KMS.
● Infrastructure

Built on AWS, in the regions you'd expect.

Huup runs entirely on AWS managed services. Production workloads are deployed across multiple availability zones in eu-west-2 (London) with disaster-recovery capacity in eu-central-1 (Frankfurt). No customer data leaves the EU/UK region without an explicit opt-in.

  • VPC-isolated production with private subnets — no direct internet access for app or database nodes.
  • WAF + Cloudflare in front of every public endpoint.
  • Infrastructure-as-code via Terraform with peer review on every change.
● Encryption

Encrypted in transit and at rest.

Every connection — browser, API, internal service-to-service — uses TLS 1.3 with modern cipher suites. HSTS is preloaded. We do not accept plaintext HTTP.

Data at rest is encrypted with AES-256 using AWS KMS-managed keys. This includes databases (RDS), object storage (S3), backups, snapshots and logs. Keys rotate annually.

● Access controls

Least privilege, MFA everywhere.

  • MFA enforced for all workspace owners and admin roles. TOTP-based, no SMS.
  • Role-based access — office vs warehouse, fine-grained per-feature scopes.
  • SSO via SAML available on Enterprise plans.
  • Audit log for sensitive actions: API key issuance, member changes, data exports, integration credential changes.
  • Internal Huup staff access requires SSO + MFA + JIT approval. Production access is logged.
● Tenant isolation

Database-per-tenant by default.

Each enterprise tenant runs on a dedicated database with a dedicated connection string. There is no shared schema between customers — queries cannot leak across tenants because there is no shared table to leak from.

API authentication is scoped per tenant and per key. Cross-tenant requests return 403, full stop.

● Backups & recovery

Daily backups. 30-day point-in-time recovery.

  • Automated daily snapshots of every tenant database, encrypted, stored cross-region.
  • Point-in-time recovery within a 30-day window.
  • Restore drills run quarterly — measured RTO < 4h, RPO < 15min.
  • Object storage uses S3 versioning with lifecycle policies; deleted files recoverable for 30 days.
● Vulnerability management

Patched, scanned, monitored.

  • Dependencies scanned continuously via Dependabot & Snyk. Criticals patched within 24h, highs within 7 days.
  • Container images rebuilt nightly with latest base layers.
  • External penetration test annually by an independent firm.
  • Static analysis (SAST) and secret scanning on every pull request.
● Compliance

Where we are. Where we're going.

GDPR (UK & EU)
Compliant
Full data subject rights workflow. DPA available on request.
SOC 2 Type II
In progress
Targeting initial Type II report by Q4 2026.
ISO 27001
Planned 2027
Stage-1 audit scoped for H1 2027.
PCI DSS
SAQ-A (Stripe)
Card data never touches Huup infrastructure — handled by Stripe.
● Sub-processors

Who else processes your data.

We use a small set of vetted sub-processors to run Huup. Each is bound by a Data Processing Agreement. We give 30 days' notice before adding new sub-processors that handle customer data.

Sub-processorPurposeRegion
Amazon Web ServicesCloud hosting, compute, storage, databasesEU (Ireland, Frankfurt) · UK (London)
StripePayment processing and subscription billingGlobal · GDPR DPA
PostmarkTransactional email deliveryEU
CloudflareCDN, DNS, WAF, DDoS protectionGlobal
Customer.ioLifecycle messaging (opt-in marketing)EU
● Incident response

If something goes wrong, you hear from us.

We maintain a documented incident response plan with on-call rotation, severity classification and clear comms channels. For incidents affecting customer data, we will notify impacted customers within 72 hours of confirmed scope (GDPR Art. 33 timeline), with a follow-up post-mortem.

Status and ongoing incidents are posted at status.huup.com.

● Vulnerability disclosure

Found something? We want to know.

If you believe you've discovered a security issue, please email security@huup.com. We commit to acknowledging within 24 business hours and to working with you in good faith. We do not currently run a paid bounty programme, but we recognise responsible disclosure on our security hall of fame.

Please do not perform testing that degrades service, accesses other customers' data, or violates applicable law.

This page is provided for transparency and is not a contract. The legally binding terms governing security obligations are set out in your Terms of Service, Privacy Policy and (where applicable) Data Processing Agreement. We update this page as our practices evolve.