Security

How we protect your business data.

A plain-English overview of YionStack security — for procurement teams who do not want to read a legal annex. The contractual version of all of this is in our Data Processing Agreement; the responsible-disclosure pointer is at /legal/vulnerability-disclosure.

Last updated: 10 June 2026

Business isolation

Each customer is a separate business. Business boundaries are enforced at the data layer, not retrofitted in app code.

Row-level security (RLS) on every business object — checked at every read and write
Application connects with a non-superuser database role that cannot bypass RLS
Audit trail records every action with actor + business context for forensic review

Encryption

Standard, current cryptography in transit and at rest — and at every layer where data is held.

TLS 1.2+ for every connection to the product or API
Provider-managed AES-256 at rest for application data and backups
Secrets stored in a managed secret manager — never in code or environment files committed to git

Authentication & access

Passwordless by default, hardware-key MFA for production access, and least-privilege everywhere.

Magic-link sign-in with passkey (WebAuthn) upgrade prompts
Configurable MFA for accounts that need it (TOTP / WebAuthn)
Production access for personnel via SSO + hardware-key MFA
Periodic access reviews documented in our assurance kernel

Hosting & resilience

UK / EEA-region primary infrastructure with documented backup and recovery.

Primary hosting in the UK on Google Cloud
Daily encrypted backups with documented restore procedure, tested on a defined cadence
Defined recovery objectives (RTO / RPO) communicated to enterprise customers
Edge protection via Cloudflare (WAF, DDoS mitigation, bot management)

Vulnerability management

A standing process — not a one-off audit — for finding and fixing security issues before they bite.

Automated dependency scanning on every build
Static analysis (SAST) and lint rules on every pull request
Penetration testing on a documented cadence
Public vulnerability disclosure policy (see /legal/vulnerability-disclosure)

Incident response

A defined runbook from detection through customer notification through retrospective.

On-call rota covering authentication, billing, and AI surfaces
72-hour breach notification commitment to controllers under our DPA
Public retrospectives within 48 hours of incident resolution on /status

Personnel

The humans behind the product, screened and trained for the access they hold.

Confidentiality undertakings for every employee, contractor and director
Background checks for production-access roles, appropriate to UK employment law
Annual UK GDPR / DPA 2018 training, with completion tracked
Joiner / mover / leaver (JML) workflow with documented attestations

Sub-processors

Carefully chosen, contractually bound, and listed in full. No surprise data flows.

Each sub-processor under a written data-protection agreement
UK IDTA + EU SCCs (with UK Addendum) where data leaves the UK / EEA
Public list with regions and transfer safeguards in DPA Annex 3
30 days notice before adding or replacing a sub-processor

What we do not yet have — and won't pretend to

We do not currently hold an SOC 2 or ISO/IEC 27001 certification, and we do not claim them. The control set we operate is mapped to those frameworks — we will pursue formal attestation when our customer base requires it. In the meantime, we will provide our control narratives and evidence to any customer on reasonable request.

If your procurement process requires a third-party attestation that we do not yet hold, tell us — we will be honest about the timeline.

Found a bug?

security@yionstack.co.uk

Vulnerability reports — we acknowledge within 2 working days and never pursue good-faith researchers.

Procurement / DPIA

privacy@yionstack.co.uk

DPAs, sub-processor questions, audit information, DPIA assistance.

Status & incidents

status.yionstack.co.uk

Live operational status across every YionStack subsystem.