Last Updated: September 29, 2022
IntroductionOur customers depend on Yembo to provide visual inspections at unprecedented speed using cutting-edge artificial intelligence. In today’s sophisticated security landscape, Yembo has implemented ISO 27001 security controls and industry-leading security practices to keep our customer’s business data safe. This section provides an overview of Yembo’s data security practices, both internally and across various environments.
ComplianceYembo’s products are designed to serve an ever-increasing number of use cases. As some of those use cases may implicate certain regulated forms of data, please note that customers are ultimately responsible for complying with the law governing the data they submit to Yembo through Yembo products, including those regarding the privacy and protection of personal, sensitive, and/or financial data. Yembo provides certain types of assistance in order to help customers meet their compliance goals. Yembo maintains a suite of rigorous security policies, surpassing the practices of many of its peers. The specifics of Yembo’s various security practices are described below.
Chief Compliance Officer and Data Protection OfficerAs required by the GDPR, Yembo has appointed a Data Protection Officer, Zach Rattner, who can be reached via email at email@example.com. Yembo’s Chief Compliance Officer is Siddharth Mohan, who can be reached via email at firstname.lastname@example.org.
Physical SecurityYembo personnel are trained on policies and proper security steps that must be taken with office equipment such as laptops, printers, mobile devices, removable media, and visible office spaces (such as desks and screens).
Access RestrictionsYembo restricts access to confidential information (including customer information), networks, and other resources based on job function and need. Any requests for access privileges require approval from the business owner responsible for the data, and all requests and approvals are documented.
Access to Customer Data within Yembo SoftwareYembo provides role-based access control which allows our customers to restrict customer data access only to authorized personnel. The following roles are provided:
- Employee: An Employee account has permission to view and edit surveys, and also has the ability to see customer information for all moves assigned to companies the Employee belongs to. Employee accounts may be best suited for salespeople to review and provide pricing information to end consumers.
- Consultant: Consultants are afforded the same permissions as Employees, but only for surveys they have been assigned to. If a Consultant is not personally assigned to a survey, they will be unable to see or interact with it in any way.
- Admin: An Admin account has all of the permissions as the Employee role, with the additional abilities to set company wide settings and to create and edit accounts for their company. This account type is best used by a limited number of people at the company to set up and control accounts for other staff at the company.
Systems AccessFor corporate access (i.e., for general access to Yembo’s internal corporate systems), requests for new or modified network access are submitted and logged. Yembo uses identity management software with two-factor authentication to confirm the identity of authorized users. Access to in-scope applications is reviewed quarterly.
Any additional access privileges (including administrator privileges) are tailored to job function and need, and require approval from Yembo management. Access is reviewed monthly by each designated administrator, and Yembo regularly verifies the completeness and accuracy of the review. Access to Yembo’s source code repositories and cloud services such as Amazon Web Services (“AWS”) are restricted to authorized personnel and two-factor authentication is required.
Intrusion DetectionYembo employs cloud-based scanning for vulnerabilities such as server misconfigurations, missing patches, encryption weaknesses, and application bugs such as SQL injection and cross-site scripting.Customers may request a third-party report of Yembo’s compliance with its intrusion detection system at email@example.com.
Built-In EncryptionYembo’s cloud environments provide mandatory encryption both in transit and at rest. Neither form of encryption may be disabled.
Data Encryption In-TransitYembo uses industry-standard SSL encryption for data in transit. All SSL configurations are routinely monitored by a third-party service to ensure compliance with current best practices. Each user session is secured in this manner with no exceptions. Customers may request a third-party report of Yembo’s SSL encryption configuration via email at firstname.lastname@example.org.
Data Encryption at RestYembo stores data in MongoDB Atlas and AWS S3. Data is encrypted at rest in both deployments using 256-bit AES. Encryption at rest is provided for all deployments, for both textual data and multimedia uploads.
Data BackupsAll data submitted to Yembo is backed up for resiliency to natural disasters or hardware failures. Databases are snapshotted automatically and backed up on AWS via MongoDB’s Atlas product. Multimedia uploads are stored in S3 and are backed up to another S3 bucket in a different geography. Access to data on AWS is controlled by AWS Identity Access Management roles and rights. For more information, see Yembo's Data Storage Policy.
Secure DisposalFor more information on Yembo's policies for secure disposal, see Yembo's Data Storage Policy .
VendorsYembo retains suppliers, subprocessors, and other vendors (“Vendors”) who may from time to time perform services for Yembo or for customers on Yembo’s behalf. Yembo only retains those Vendors that meet Yembo’s stringent security criteria so as to ensure they provide at least the same level of protection to customer data as does Yembo.
Additionally, Yembo maintains internal environments separate from production that do not contain customer data. Vendors are provided access only to these internal environments unless their job function explicitly requires access to customer data. Periodically, Yembo may ask a Vendor to re-evaluate its security posture to help ensure compliance with evolving privacy and security policies and procedures. A list of Yembo's subprocessors is available for those interested in reviewing the list.
Reporting a vulnerabilityIf you believe you have found a security vulnerability in any Yembo property, please report it to "email@example.com" .We consider giving a reward for reporting vulnerabilities if, on review, our technology team agrees the vulnerability information provided has genuinely helped improve Yembo's security. Please include the following information when reporting a vulnerability:
- Description of vulnerability
- Category - DoS, XSS, CSRF, Information Leak, SQL Injection, Authentication Bypass, Remote Code Execution, etc.
- Steps to reproduce the vulnerability
- Browser/OS/platform, if relevant
- How you found the bug - Using a free or commercial scanner, using a homemade tool, manually, etc.
- Do you believe this vulnerability is being actively exploited?