Security and privacy

Please see our Terms of Service and Data Processing Agreement and Privacy Policy for additional information. If you have any questions, please do not hesitate to contact us.

Hosting security

YData, Lda is not a cloud service provider, however, we use providers which are hosted on their data centers, such as Google, Microsoft and Amazon Web Services. They are leading cloud infrastructure providers with top-class safety standards. They are able to respond quickly to both operational and security, including well-defined change management policies and procedures to determine when and how change occurs.

Google is compliant with the following standards:

  • CSA
  • ISO 27001
  • ISO 27017
  • ISO 27018
  • SOC 1
  • SOC 2
  • SOC 3

Amazon is compliant with the following standards:

  • CSA
  • ISO 9001
  • ISO 27001
  • ISO 27017
  • ISO 27018
  • SOC 1
  • SOC 2
  • SOC 3

Azure is compliant with the following standards:

  • CSA
  • ISO 9001
  • ISO 27001
  • ISO 27017
  • ISO 27018
  • ISO 27701
  • ISO 22301
  • ISO 20000-1
  • WCAG
  • SOC

Both physical access perimeters and entry points are strictly controlled by professional security personnel. Authorized personnel must pass a minimum of two-step verification to gain access to the authorized center floors.

Corporate security

We have applied internal security policies that are in line with the industry's ISO 27001. We are regularly training our employees in safety and privacy awareness, which protects technical and non-technical roles. Training materials are developed for individual roles so that employees can fulfill their responsibilities appropriately.

  • Two-step verification for key services
  • Encrypted hard drives of our devices
  • Password requirements
Verification and Access Management

Users can log in via Security Assurance Markup Language or Google Sign In or OpenID services. We create sign up forms in such a way that the user can be easily identified, such as name, email ID, and more.

All requests in the YData API must be approved. Data writing requests require at least reporting access as well as an API key. Data reading requests require full user access as well as application keys. These keys act as carrier tokens to allow access to the YData service functionality. We also use Auth0 in user identification. Auth0 can never save a password because the password is encrypted when the user logs in, and compares with AuthO's encrypted password to see if they are using the correct password.

The user can change and save the password as he wishes. The user can use all types of characters to strengthen his password.

Protection of Customer Data

User uploaded information or data will be considered confidential to us, which is stored in encrypted form from the public network. Data for a limited time without user request, not allowed to come out.

All data transmitted layer protection (TSL) and HTTP sent by users protected using Strike Transport Security (HSTS). The application is usable if encrypted communication is compromised.

User uploaded data is not transferred from one data center to another. Encryption is used in many places to protect customer information, such as: IS-266 with encryption at rest, incomplete encryption (PGP) for system backups, KMS-based protection for privacy protection, and GPG encryption.

Users can use the data stored for business or administrative purposes, but they have to go through many security levels, including multi-factor authentication (MFA).

Certification, Attestation and Framework

Our Frontend Framework React (originally maintained by Facebook) combines the use of unique user tokens to protect your users against common threats such as cross-site scripting (CSS / XSS) and cross-site request fraud (CSRF / XSRF). This makes it impossible for the user to access data from another user's account.

Laws and Regulations

The cloud service providers used by YData, Lda are compatible with General Data Protection Resolution (GDPR). GDPR is working to expand its products, methods and processes to fulfill its responsibilities as a data processor.

YData's security and privacy teams have established a vendor management program that determines the need for YData to be approved when it involves third parties or external vendors. Our security team recognizes that the company’s information resources and vendor reliance are critical to our continued activities and service delivery. These spaces are designed to evaluate technical, physical and administrative controls and ensure that it meets the expectations of it and its customers.

It is a monitoring service for infrastructure and applications. Our CCPA compliance process may provide additions so that our customers can fulfill their obligations under the CCPA if there is access to personal data, while we make no plans to transfer, process, use or store personal information.

Data Encryption

The way you communicate with us or the servers is SSL / TLS encrypted. We protect our servers from DDOS, SQL injection and other fraudulent activities. If one wants to interrupt the data transfer, one can only see a mixture of some characters, which is almost impossible to decrypt. All data in our database is encrypted with industry standard AES-256.

Availability and disaster recovery

The data stored in the bucket and database is distributed and copied to different servers. If a bucket or database fails, it is usually recovered from a different server without targeting other users.

Databases are backed up on a daily basis and can be restored if the software or server fails significantly. Backups are stored in various European data centers for extra protection.

It is not possible for us to recover individual customer information - if you delete something in your account, it will be permanently deleted and we will not be able to recover it.

Monitoring

The functionality of our applications and databases is monitored 24/7 through in-built monitoring tools provided by Google, Azure and Amazon Web Services. Internal errors or failures of our various integrations trigger logins and notifications. This usually helps us to identify the problem very quickly and remedy the situation.

Full disclosure policy

If something serious happens and your data is damaged as required by GDPR, we will disclose in full (such as a data breach). Transparency is important to us and we will provide you with all the necessary information to properly assess the situation and potential impact. So far no customer data has been compromised and we aim to keep it that way.

Please let us know if you have any bugs about our safety issue, we will try to resolve your issue. And don't reveal it until the problem is solved.