Kiwi standing on oval

The protection of your data is our highest priority.

As users of our own product, we understand how important the security and privacy of your data is. Ensuring our platform remains secure, is vital to maintain the trust of our customers and essential to build a sustainable business.

Information Security Certification

Yabbu has been certified for ISO 27001, the international standard on Information Security. It is an independent, unbiased and frequent measurement of the actual information security state and it shows that an organization complies with business, legal, contractual and regulatory requirements.

You can download the ISO 27001 certificate here. A copy of the Statement of Applicability is available upon request.

In the event of a security breach, Yabbu will promptly notify you of any unauthorized access to your data, according to the ISO 27001 requirements. Yabbu has incident management policies and procedures in place to handle such an event.

GDPR & Data Privacy

We make it our priority to be transparent in how we collect, use, and handle your information when you use our website and software. Please see our full Privacy Policy for more details about rights and obligations under the General Data Protection Regulation (GDPR), which took effect on May 25, 2018. We also implemented from the beginning on ‘Privacy by Design’ and ‘Privacy by Default’ principles in our product and processes as required by GDPR.

Application security

All access to Yabbu is protected by Secure Socket Layer (SSL) providing both server authentication and 256-bit AES data encryption. This ensures that your data is safe, secure and available only to registered users.

Yabbu’s application security ensures that only those added into a team can access its contents. Access controls are baked into the Yabbu data model and user permissions are verified on every request by the core Yabbu application framework.

Vulnerability Detection and Penetration Tests

The Yabbu application is constantly and rigorously tested against common website vulnerabilities such as cross-site scripting (XSS), cross-site request forgery (XSRF), and SQL injection.

Scans of Yabbu’s production site and app (web and mobile) are performed on a regular basis.
All changes are peer-reviewed and vulnerability and security lists are actively monitored for CVE (Common Vulnerabilities and Exposures); Appropriate actions taken as soon as a vulnerability is discovered. A penetration test is commissioned bi-annually, with all findings mitigated as appropriate.

Data hosting and backup policy

Yabbu production services are hosted on Amazon Web Services’ (“AWS”) EC2 platform. The physical servers are located in AWS’s secure data center in Ireland and all data thus fall under the EU-US Privacy Shield. From Amazon’s documentation:

AWS has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). We undergo annual SOC 1 audits and have been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems.

 

To minimize service interruptions due to hardware failure, natural disasters, or other catastrophes, Yabbu implements a Disaster Recovery program.  All of Yabbu’s servers are backed up nightly and backups are retained for one week. In addition, all data is mirrored almost immediately to standby servers in a second data centre. The secondary data centre is always in the same country as your primary data centre, so you can be confident your data is still protected under local laws.  In the event of the most serious of catastrophes, resulting in the complete loss of our primary data centre, your workspaces will be available within a matter of minutes via our Disaster Recovery site. Data is replicated to this site in near real-time, so business can continue as usual.

Data transfer and deletion on termination

Production customer data is never to be replicated outside of the production cloud environments and is never to be stored on employee workstations or removable media. On termination of a Yabbu contract, and at the request of the customer, following strict security procedures, the data belonging to the company/team will be completely removed from the live production database and all file attachments uploaded directly to Yabbu will be removed within 30 days.

If you have any questions about our security practices or want to know more about how we protect your data, please contact our DPO, Christian Zierleyn at christian@yabbu.com.