Technical FAQ's

These FAQs are provided for general information only and do not form part of Upshot Terms & Conditions. Upshot Systems CIC accepts no liability whatsoever for your reliance on anything contained within the FAQs.

1. What database technology/software does the application use?

Upshot is built upon the Django framework with an Nginx webserver front-end and a PostgreSQL database back-end.

2. What programming language is the application developed in?

Upshot is a custom-built application made using the Django Framework www.djangoproject.com, an open source framework described as “The Web framework for perfectionists with deadlines”. Django is based upon the programming language Python www.python.org.

3. How is Upshot hosted?

Upshot is a hosted/cloud application. This is because we want to reduce the need for organisations to invest in infrastructure to support it. It also means that it means that we can make Upshot accessible anywhere, for anyone.

The application iscurrently hosted on a dedicated server by Hosting UK, an iomart subsidiary, in their Maidenhead data centre

Costs are covered as part of the overall cost of the application. There are no additional hosting costs, unless an organisation wishes to host the application themselves or wants us to host it on a VM dedicated to them.

4. What is the hosting SLA agreement?

Upshot is hosted by Hosting UK, whose hosting agreement is available at https://hostinguk.net/services-sla.

5. Is the platform hosted on virtual or physical servers? How many servers is the application hosted on?

As detailed above, the application is currently hosted on a dedicated physical server with Hosting UK. We are able to easily scale up the provisioning as and when required. Costs for hosting with this infrastructure are included in the costs for the application.

6. Are the Data Centres accredited to PCI DSS, ISO27001, and SAS70 standards?

Yes. Hosting UK is part of the Iomart Group and all ISO certs are held with the auditor at:

https://www.alcumus.com/en-gb/certification/customer-area/certificate-checker/

Certificate ID: 7235

Our technical partner Torchbox are ISO27001 certified. You can find a link to their Statement of Applicability here.

7. What physical security measures are in place at the Data Centre?

The Data Centre is ISO 27001 certified. The data centre is protected by a range of measures, including:

• 24-hour Manned Security, Biometric Access & Intruder Alarms
• Very early smoke detection apparatus (VESDA) installed
• Smoke detection system
• FM200 fire suppression system
• CCTV system covering all entrances/exits and main areas
• 24-hour video recording
• Full perimeter alarm
• PAC security card access system
• Visual verification of all persons entering the data floor

For full details see the Hosting UK Maidenhead Data Centre page here.

8. What is Upshot’s Information Commissioner’s Office (ICO) registration number?

ZB005836

9. What cyber security measures are in place at Upshot?

Upshot is Cyber Essentials Plus certified. The core team is UK Disclosure and Barring Service (DBS) checked and the full team has undergone Cyber Security training. 

We also have a number of data policies that govern the way we manage our and our client’s data. We are happy to share these on request. 

10. Is all communication in transit encrypted?

All communication with the application is encrypted over HTTPS and implements HSTS so that unencrypted requests (HTTP) are not possible. DevOps management of the application and data transfer is over SSH. The application’s SSL configuration has an A+ rating from SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=app.upshot.org.uk.

11. What are the backup and restore (both data and application) procedures?

User-generated content - the database, files uploaded to the media library and branding - are backed up daily - a number of times in the case of the database - to a backup area of the server. Every night, the full server filesystem is synchronised to a separate backup server at the hosting provider, Hosting UK. Hosting UK also have 7 daily and 4 weekly full system off-host backups in their data centre.

This allows for restoration of individual user-generated files, rollback of the whole database to an earlier snapshot, or the complete restoration of the application on a different server, with an equivalent setup, in the event of a server failure. The application code is stored in a version control system on a separate hosted service.

12. Does the system have any scheduled downtime and are users notified of this in advance when possible?

We may, on occasion, need to schedule brief periods of maintenance when we consider this to be essential to the ongoing reliability and development of our application. When this occurs, we will make reasonable efforts to ensure that we do so during quiet periods and the duration of the downtime is kept to a minimum.

Upshot also has a dedicated status page that users can subscribe to in order to be notified of any downtime or planned maintenance.

13. What are the hardware and software specifications for the client PCs that will access the application?

As Upshot is a web-based application, an installation is not needed. Upshot is fully functional via a range of browsers. We recommend that any modern, standards-compliant browser is used, such as the latest versions of Chrome, Edge, Firefox or Safari. We do not provide active support for any versions of Internet Explorer as Microsoft retired this browser on June 15th 2022. Browser support is reviewed every six months based on usage and security.

14. Are there any recommended PC requirements for using Upshot or for running reports and exporting data?

Upshot allows the user to export data into Microsoft Excel and Microsoft Word or compatible applications. Other than these two applications and any modern, standards-compliant browser there are no other PC requirements to get full usage out of Upshot as an application. 

15. Is the application available for a mobile/tablet platform?

Yes. Firstly, there is a mobile-optimised version of Upshot that is available through a web browser for use across mobile platforms. 

In addition, there is the Upshot Mobile App.

The Upshot Mobile App is a progressive web app (PWA) primarily designed to help users enter and review data in a faster and easier way. The app gives users the ability to:

• Manage and submit registers
• Add new attendees or review the information on attendees such as medical conditions, emergency contact and consent to media
• View and complete survey responses

The Upshot Mobile App can be used both online and offline. More around offline usage here.

The use of the app mentioned above comes as part of the Upshot licence and is provided directly by the application, not through an additional third party.

16. What testing has been carried out? 

• Usability testing

We have undertaken usability testing with several end-users and testing feedback has been incorporated into the application. Every new feature is tested in the same way and our ethos programme of continuous improvement means that usability testing is integral to our development of the system.

• Unit testing

Upshot is accompanied by a suite of unit tests covering the code of the application, both to test new functionality and to perform regression testing of existing functionality. Although primarily for testing the robustness of the application, it is also an aid in long-term performance testing.

• Penetration testing

Upshot undergoes an annual penetration test to check for security vulnerabilities of the system. The last test was carried out in April 2024 by an external provider and found no critical or high-risk vulnerabilities. A summary of the results and actions can be viewed here.

17. How will the data held be separated from the data of other organisations or customers?

The Upshot application resides on a dedicated host. The application is multi-tenant, shared between Upshot's client organisations but the application is designed to segregate data within those applications. User accounts only have access to the single organisation they are associated with. Data sharing between organisations, such as between a 'Facilitating' organisation and a 'Delivery' organisation must be explicitly enabled by Upshot staff in accordance with the organisational relationships of the clients and terms and conditions of use pertaining to it.

18. What measures does Upshot have in place in case of technical or security incidents?

Upshot has a robust incident response plan and mechanisms to report relevant incidents. We also have a full Disaster Recovery and Business Continuity Plan which gets tested at certain intervals internally and with our development agency. These have been tested against a range of scenarios and the plan outlines different people’s position and responsibilities within the team.

As per our Organisation Terms and Conditions, Upshot Systems shall notify you as soon as reasonably possible after any Security Breach occurs and in any event no later than 36 hours after becoming aware of the Security Breach, and shall include in that notification a description of:

• the nature of the Security Breach including details of the nature of the Protected Data affected, and the data subjects affected;
• the likely consequences of the Security Breach;
• the measures taken or proposed to be taken by Upshot Systems to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

19. What is the development process for the Upshot system, and all new features?

Upshot has an outsourced development agency – Torchbox – who design, build, enhance and maintain Upshot. The core team is made up of senior developers, a Delivery Manager and a Product Director. As needed we also pull in designers, accessibility experts and system administrators.

Torchbox have an Information Security Management System (ISMS) as part of the ISO 270001 accreditation, which includes the NCSC’s secure software development guidelines among other policies and guidelines. Torchbox utilise a culture of secure development including secure development training, full code review and clear well-understood libraries. Upshot has purpose-built platforms for the development, testing environment and User Acceptance Testing as part of new features. Torchbox adhere to OWASP Top 10, globally recognised by developers as best practice for secure coding.

The development cycle uses continuous integration and automated tests extensively. The deployment process is limited to a small number of authorised users using consistent deployment processes.

20. Are organisations entitled to all system upgrades released?

Yes, every improvement and development made to Upshot is available to all clients upon release. Upshot is a global system and there are no restricted add-ons or functionality upgrades. We provide regular updates to all users informing them of any recent developments to the system.

21. Are all standard updates covered under the licence agreement?

Yes. NB ‘Standard updates’ refers to any changes or developments to the system to maintain or improve system functionality or performance. The licence fee covers any standard updates.

22. How long does it take to carry out upgrades and is there any downtime?

Upshot is a web-based application and system upgrades are in effect immediately once deployed to the live system. Generally, there is no user downtime when the system is updated. On the very rare occasions that there is downtime, user organisations are notified in advance and we will always endeavour to ensure that this occurs during off-peak times.

23. What management and support service is provided?

Upshot provides telephone and email support to all users:

Phone support: +44 (0)20 3111 1455

Email support: support@upshot.org.uk

All support issues have an escalation process and, if required, can be passed to our developers at Torchbox.

Queries will be logged and a resolution provided either by email or telephone. We can also provide desktop sharing support via Microsoft Teams, Zoom or similar, which allows the support technician to view to problem first-hand and interact with the user’s system.

Training: We offer bespoke and organisation-specific Upshot training delivered at a cost. Please get in touch with us to enquire about running a training session for your team.

We also deliver free training webinars available to all users. Please click here for more info and to book your slot.

Guides: We have a detailed guide library and knowledge base accessible to all users of the system.

24. What are the standard hours of support? 

Support services are provided during business hours, Monday to Friday, 9am – 5pm UK time.

25. What assistance will Upshot provide organisations at the end of contract to download and store data?

Customer organisations own all service-related data and are entitled to retrieve this data. We will provide 30 days from the end of the contract for the organisation to extract the data via the various download functions built into the system. The Upshot Support Team will be on hand to assist with this if needed. We can also provide a series of JSON files, although this will incur a cost to the customer organisation.

26. What is the Intellectual Property Rights ownership model? 

• All intellectual property rights for the bespoke code used in Upshot belong to Upshot Systems CIC.

• Copyright of Torchbox code remains with Torchbox.

• Torchbox have granted an irrevocable, non-exclusive, worldwide & perpetual, licence to use this code.

• Copyright in third party code remains the property of the licensors of that code.

• Customer organisations own all service-related data and are entitled to retrieve this data. 

27. Does Upshot have Two-Factor Authentication (2FA)?

Yes, two-factor authentication can be activated by an individual user for use when logging into their Upshot account. For more details about this process please click here.

28. Does Upshot have any existing APIs / Integrations?

Upshot has a number of internal APIs, and we are currently looking into integrating with other systems.

There is an API endpoint that supplies Session (instance and attendance) data feed that can be pushed into other tools. The OpenActive Integration enables Upshot users to publish their session information on various activity finders.

Upshot also has an integration with a booking system in Eventbrite, which allows users to import session and register data of those individuals that have booked onto an organisation’s session via Eventbrite into Upshot.

More about these existing tools can be found here.