New York SHIELD Act Compliance Statement

Statutory Basis

The New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), codified at N.Y. General Business Law § 899-aa and § 899-bb, requires any person or business that owns or licenses computerized data containing the private information of a New York resident to:

1. Implement and maintain reasonable administrative, technical, and physical safeguards to protect that information; and
2. Notify affected New York residents (and, in larger breaches, the New York Attorney General, the Department of State, and the State Police) of any breach.

The SHIELD Act applies even to businesses without a physical presence in New York. Civil penalties may reach $250,000 per breach for noncompliance.

Private Information Defined

“Private information” under the SHIELD Act includes a New York resident’s name (or other personal identifier) in combination with any of:

• Social Security number;
• Driver’s license number or non-driver ID;
• Financial account number or credit-card number (with or without security code where access to the account is possible);
• Biometric information;
• Email address with corresponding password or security question and answer.

Reasonable Security Program

Upmos maintains a written information-security program with the following elements, consistent with N.Y. Gen. Bus. Law § 899-bb(2):

Administrative Safeguards

• Designation of a Chief Information Security Officer (“CISO”) accountable for the program;
• Annual risk assessment covering threats and vulnerabilities;
• Documented data-retention and disposal practices;
• Workforce training in information-security responsibilities;
• Service-provider due diligence and contractual security commitments.

Technical Safeguards

• Assessment of risks in network and software design;
• Assessment of risks in information processing, transmission, and storage;
• Encryption of data at rest and in transit;
• Multi-factor authentication for administrative access;
• Monitoring, logging, and intrusion-detection systems;
• Regular vulnerability scanning and penetration testing.

Physical Safeguards

• Cloud-hosted infrastructure with provider-attested physical-security controls (SOC 2 Type II);
• Office access controls and visitor management;
• Secure disposal of physical media and hardware retired from service.

Breach Notification Procedures

In the event of a breach affecting any New York resident’s private information, Upmos will:

1. Notify each affected resident in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or with any measures necessary to determine the scope of the breach and restore the integrity of the system;
2. If the breach affects more than 500 New York residents, notify the Attorney General, the Department of State, and the State Police using the form required by Gen. Bus. Law § 899-aa;
3. If the breach affects more than 5,000 New York residents, also notify consumer reporting agencies as enumerated in 15 U.S.C. § 1681a.

Notification Content

Notice to affected residents will contain the contact information of the person or business making the notification, a description of the categories of information involved in the breach, contact information for the major consumer reporting agencies, advice on protective steps (including a recommendation to obtain a free credit report and consider placing a fraud alert), and, where applicable, the date of the breach and the date of discovery.

Encryption Safe Harbor

Notice is generally not required if the breached private information was encrypted and the encryption key was not also accessed or acquired, consistent with Gen. Bus. Law § 899-aa(1)(b). Upmos encrypts all stored private information using AES-256 (or equivalent or stronger algorithms) with keys managed in a dedicated key-management service.

Service-Provider Obligations

Service providers that process New York residents’ private information on Upmos’s behalf are contractually obligated to:

• Implement and maintain reasonable security commensurate with the data they process;
• Promptly (within 72 hours) notify Upmos of any actual or suspected breach;
• Cooperate with Upmos in any breach investigation, notification, or remediation.

Reporting Suspected Breaches

To report a suspected breach involving Upmos systems or data, contact our CISO at security@upmos.com or via our responsible-disclosure program described in the Acceptable Use Policy‘s Bug Bounty section.

Contact

Email: security@upmos.com · privacy@upmos.com

NY Attorney General Consumer Hotline: 1-800-771-7755

How Can You Contact Us About This Policy?

If you have any further questions or comments or wish to report any problematic Content or Contribution, you may contact us by:

General Contact

• Phone: 1(855)637-2433 (Mon–Fri, 9 AM–5 PM CST)
• General Support: support@upmos.com
• Report Issue: upmos.com/report
• Send Feedback: upmos.com/feedback

Department Directory

Mailing Address

Upmos Inc.
9896 Bissonnet St
Houston, TX 77036
United States