Book a Demo
Upwell · Security & Trust

Built to earn trust.
Designed to keep it.

Freight finance runs on sensitive data. We take that seriously, from the infrastructure we run on to how we use AI responsibly in the product.

SOC 2 Audited
Encrypted at Rest & in Transit
No Training on Customer Data
AES-256 Encryption
SOC 2 Audited
US-Based Data Residency
Role-Based Access Controls
Infrastructure & Data Security

Your data is protected at every layer

From the moment a document enters Upwell to the moment a payment is confirmed, customer data is encrypted, isolated, and handled with enterprise-grade controls.

Encryption at Rest & in Transit

All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.

US-Based Data Residency

Customer and carrier data is stored in US-based infrastructure. We do not transfer freight data outside the United States.

Role-Based Access Controls

Access to customer data is governed by least-privilege principles. Multi-factor authentication is enforced on major internal systems.

Data Isolation

Customer and carrier data is logically isolated using strict tenant-based access controls. Our architecture is designed to prevent cross-tenant data access at both the application and data layers.

Backup & Recovery

We maintain 30 days of live rollback history with point-in-time recovery, backed by weekly backups for long-term retention. Our infrastructure is built for availability with defined recovery time objectives.

Penetration Testing

Third-party penetration testing is conducted annually. Critical findings are remediated on an accelerated timeline with documented resolution.

Compliance & Certifications

Verified, not just claimed

We completed our SOC 2 audit because our customers, especially in enterprise freight and financial services, need third-party verification, not just our word for it.

SOC 2 Audit

Upwell has successfully completed a SOC 2 audit covering Security, Availability, and Confidentiality trust service criteria. Our report is available to qualified prospects and customers under NDA.

Security Questionnaires

We are prepared to complete your organization's security questionnaire. Our security and compliance team responds to enterprise reviews within 5 business days.

Vulnerability Disclosure

We maintain a responsible disclosure policy. Security researchers who identify vulnerabilities can report them directly to our security team for prompt review and remediation.

Subprocessor Transparency

We maintain a current list of third-party subprocessors, including cloud infrastructure and AI providers. Data processing agreements are in place with our primary subprocessors.

Request our SOC 2 Report

Available to qualified prospects and existing customers under a mutual NDA. Reach out to your Upwell contact or via the demo request form and our security team will follow up within 2 business days.

Responsible AI

How we use AI, and what we don't do

AI is central to what Upwell does. We use it to read documents, extract data, and validate invoices at a scale no human team could match. That comes with real responsibilities, and we take them seriously.

In the Product

How AI powers Upwell's document intelligence

  • Upwell uses leading AI providers — including OpenAI, Anthropic, and Google — to parse and extract data from carrier documents: bills of lading, PODs, rate confirmations, and invoices.
  • Document text and images are processed in Upwell's isolated environment. AI processing is architecturally separated from partner and shipper systems.
  • AI outputs are validated by Upwell's rules engine before any action is taken. The system does not make unilateral decisions: every match is verified.
  • When the AI cannot match with sufficient confidence, the invoice is flagged for human review rather than processed incorrectly.
  • Model accuracy is monitored continuously. We maintain audit trails of all AI-assisted decisions for review and accountability.
Internal Development

How we use AI to build and improve the product

  • Our engineers use AI-assisted development tools to build and improve the product.
  • We use enterprise-grade AI provider APIs under contracts that prohibit providers from using your data to train their models. Your data processes through and returns — it does not feed public AI training sets.
  • AI providers process documents via API under contracts that include data isolation and prohibit using API inputs to train their models.

Our data commitment, plainly stated

Your data will not feed public AI training sets. We use enterprise-grade AI provider APIs under data processing agreements that explicitly prohibit providers from training their models on API inputs. Your data is processed and returned — not stored or reused by our AI providers. Upwell may use anonymized, aggregated patterns to improve product accuracy over time; no company, carrier, or load is ever identifiable in that process.

Common Questions

What customers ask us about security

These are the questions we hear most often from compliance officers, IT reviewers, and enterprise buyers. We'd rather answer them here than make you ask.

Document text and images are sent to third-party AI provider APIs for processing — that's how we extract data at scale. This happens in Upwell's isolated environment, under data processing agreements that prohibit AI providers from using API inputs for model training. The data is processed and returned; it is not stored by our AI providers or used beyond your transaction.
No. We exclusively use enterprise-grade AI provider APIs — including leading providers such as OpenAI, Anthropic, and Google — under data processing agreements that contractually prohibit them from using API inputs to train their models. Your data is processed and returned; it does not feed any public AI training set. Upwell may improve product accuracy over time using anonymized, aggregated patterns, but no company, carrier, or load is ever identifiable in that process.
AI outputs are validated by Upwell's rules engine before any action is taken. When confidence falls below threshold, the invoice is automatically flagged for human review rather than processed incorrectly. Every AI-assisted decision is logged in a full audit trail available for review.
All customer and carrier data is stored in US-based cloud infrastructure. Access is governed by role-based controls and least-privilege principles, meaning Upwell employees only have access to what their role requires, with MFA enforced on major internal systems. Customer data is logically isolated by tenant; our architecture is designed to prevent cross-tenant data access.
Yes. Our SOC 2 report is available to qualified prospects and customers under a mutual NDA. Use the button above to request it and our security team will follow up within 2 business days.
Yes. We maintain a current subprocessor list including our cloud infrastructure provider and AI processing vendors. Data processing agreements are in place with our primary subprocessors. You can request our full subprocessor list as part of your security review.
Have questions about security?

We'd love to talk through it.

Whether you're in early evaluation or deep in a security review, our team is happy to walk through architecture and get you what you need.

Let's Talk