This document describes our efforts to ensure high security standards for the services we offer.
All our services are hosted in AWS. Their data centers are at least SOC-2 compliant and providing a wide range of industry-specific compliance certifications. These certifications address a range of security controls including physical and environmental security and protection. Access to the data centres is limited to authorized personnel, and verified by biometric identity verification measures. Physical security measures include on-premises security guards, closed circuit video monitoring, man traps, and additional intrusion protection measures.
On a physical level, the infrastructure is separated into a public network for static files and the load balancer and a private network for the servers and the database. This limits the attack vectors to our infrastructure.
Data transfered from and to our services are encrypted with TLS 1.2. The implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.
All customer data that are stored in our environment are encrypted on data drive level.
Additionally there are data we consider sensitive (e.g. access tokens) not even our support staff should have access to. These data are additionally encrypted within the database with AES-256.
Amazon RDS snapshots are retained for 30 days with support for point-in time recovery and are encrypted using AES-256 encryption. Backup data is not stored offsite but is replicated to multiple data centers within a particular AWS region. We also perform quarterly testing of our backups.
yasoon uses the AWS Key Management Service (KMS) for key management. The encryption, decryption, and key management process is inspected and verified internally by AWS on a regular basis as part of their existing internal validation processes.
We use Azure DevOps CI for deployments and releases.
All code changes have been reviewed and approved by 4-eyes principle.
Access to customer data
All access is restricted to privileged groups of yasoon employees unless requested and reviewed, with additional authentication requiring 2FA. All accounts are connected and managed by our central AzureAD using SSO.