Trust centre
Everything procurement needs, in one place.
Security, data-protection, sub-processors, the SLA, and the live status of the service we run on your behalf. We publish each one as a standalone document and link them from here so there is one URL to send your procurement, security or legal team.
Six pillars
The documents we will be asked for.
How we protect your data.
Business isolation enforced at the database, encryption everywhere, hardware-key MFA for personnel access, and a documented vulnerability programme.
Read the security overviewUK GDPR · DPA 2018.
A written notice for individuals, a counter-signable DPA for controllers, and a published list of every sub-processor with regions and safeguards.
Privacy noticeData Processing Agreement.
UK GDPR Article 28 covered clause-by-clause, with the IDTA / SCC stack already in place for the small number of US sub-processors we engage.
View the DPAEvery third party, listed.
A versioned, public list of every vendor that touches customer data — region, transfer safeguard, and a 30-day notice promise on changes.
Open the registerSLA & live status.
Contractual uptime per plan, response targets per severity, and service credits if we miss. Live status at status.yionstack.co.uk shows what is happening right now.
Read the SLAVulnerability disclosure.
A no-fault programme for security researchers — acknowledge within two working days, no legal action against good-faith reports, RFC 9116 security.txt published.
Report a vulnerabilityPolicy stack
Every operational document we publish.
Each is versioned and dated. Where the law gives us a choice between publishing and not publishing, we publish.
Plain-English terms with TL;DR per clause.
Detection through 72-hour notification through retrospective.
How we assess high-risk processing under Article 35.
15-row master schedule of how long we keep what.
How to exercise UK GDPR Articles 15–22.
WCAG 2.2 AA target, current conformance state, contact route.
Bribery Act 2010 § 7 procedures and gift policy.
Voluntary section 54 statement, board-approved.
PIDA 1998 channel for confidential disclosures.
Who you are buying from
Yiontech LTD.
We do not yet hold SOC 2 or ISO/IEC 27001.
We won't pretend. The control set we operate is mapped to those frameworks, and we will pursue formal attestation when our customer base requires it. Until then we will share our control narratives and any evidence on reasonable request.