Start Free Trial
Security & Privacy

How Upwex handles your Upwork session.

Plain-language summary of how the Chrome extension and dashboard interact with Upwork, where your data sits, and what we do not do.

Browser-side automation, your own session

Upwex runs as a Chrome extension over your existing Upwork login on your machine. We do not ask for your Upwork email or password. We do not run headless browsers in the cloud, do not scrape Upwork from our servers, and do not maintain a shared session pool. Every action happens inside your tab, with your cookies, paced with human-like timing (300-3000ms between steps).

What we store

  • Your Upwex account: email + bcrypt-hashed password.
  • Your saved cover letter templates and Auto-Bidding rules.
  • Activity logs of your own Upwork bidding (scans, matches, submissions, replies) so the dashboard can show analytics.
  • Job posts and client profiles your extension touched, for the Check Fit / per-template analytics features.
  • Pipedrive integration tokens (if you connect the CRM), stored encrypted at rest.

What we do NOT store

  • Your Upwork password.
  • Your Upwork session cookies.
  • Other people's Upwork data - only what your own browser tab is looking at.

Infrastructure

  • HTTPS everywhere with HSTS preload. TLS via Let's Encrypt, auto-renewed.
  • Hostinger KVM VPS, Ubuntu 24.04 LTS, daily backups with 14-day retention.
  • PostgreSQL listens only on 127.0.0.1, never exposed to the internet.
  • Payments processed by Stripe - we never see or store your card number.
  • Application secrets (DB password, API tokens) sit in mode-600 .env files owned by a dedicated non-shell system user.

Access control

  • Single-sign-in account per team, role-based (Owner / Admin / Member) for agency plans.
  • Admin and database access for the Upwex team is limited to engineers with personal SSH keys; password auth is disabled on production.
  • All changes to production go through GitHub Actions, never manual SCP from a laptop.

Upwork Terms of Service

Upwork's Terms do not explicitly prohibit browser-side automation of your own account. Upwex submits through your existing session, respects daily caps, and never looks like bot traffic. There are no documented Upwex-related account actions to date. That said, Upwex is a third-party tool, Upwork can shift its stance, and the risk is yours to accept.

Vulnerability disclosure

Found a security issue? Please email support@upwex.io with subject prefix [security]. We respond within 48 hours.