Yac provides the below described technical and organizational security measures through its cloud infrastructure and data security Subprocessor, Amazon Web Services. Yac reserves the right to upgrade or otherwise modify its security measures and this Information Security policy at any time in its sole discretion; provided, however, that Yac will not materially degrade any security measures during the term of the Agreement.
Location of data
All of our services and data are hosted in Amazon Web Services(AWS) facilities (S3, RDS) in the United States, and Vultr dedicated servers in the United States.
Failover and availability
Our infrastructure and data are spread across multiple server nodes and AWS availability zones and are designed to continue to work should any one of the data centers or facilities fail, per AWS's disaster recovery practices and policies.
Backups and monitoring
We produce audit logs for activity and for data storage devices we log all activity automatically. We regularly backup our servers using AWS's provided backup services.
Permissions and authorization
Access to customer data is limited only to authorized personnel who require it for their job and on a need-to-know basis. All personnel who access customer data do so pursuant to written agreements with data protection obligations consistent with applicable law. Every service hosted on our servers is served over forced HTTPS only, with HTST enabled. We have a strict SAMLSingle Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on critical cloud services used by our team like GitHub, Google, andAWS to ensure access to cloud services is protected.
Encryption and storage
All data sent to or from Yac is encrypted in transit using 256 bit encryption. Our APIs and application endpoints are TLS/SSL only. We only use strong cipher suites and have features such as HSTS enabled. We also encrypt data at rest using an industry-standardAES-256 encryption algorithm by making use of AWS's RDS encryption.