Last Updated: September 29, 2022

 

Introduction

Our customers depend on Yembo to provide visual inspections at unprecedented speed using cutting-edge artificial intelligence. In today’s sophisticated security landscape, Yembo has implemented ISO 27001 security controls and industry-leading security practices to keep our customer’s business data safe.  This section provides an overview of Yembo’s data security practices, both  internally and across various environments. 
 

Compliance

Yembo’s products are designed to serve an ever-increasing number of use cases. As some of those use cases may implicate certain regulated forms of  data, please note that customers are ultimately responsible for complying with the law governing the data they submit to Yembo through Yembo  products, including those regarding the privacy and protection of personal, sensitive, and/or financial data. Yembo provides certain types of assistance in order to help customers meet  their compliance goals. Yembo maintains a suite of rigorous security policies, surpassing the practices of many of its peers. The specifics of Yembo’s various security practices are described below. 
 

For California Residents

California residents have specific provisions as described in Yembo's Privacy Policy .
 

For Canadian Residents

California residents have specific provisions as described in Yembo's Privacy Policy .
 

For United Kingdom and European Union Residents

United Kingdom and European Unions residents have specific provisions as described in Yembo's Privacy Policy .‍
 

Chief Compliance Officer and Data Protection Officer 

As required by the GDPR, Yembo has appointed a Data Protection Officer, Zach Rattner, who can be reached via email at dpo@yembo.ai. Yembo’s Chief Compliance Officer is Siddharth Mohan, who can be reached via email at cco@yembo.ai. 
 

GDPR Data Subject Rights  

Under Chapter 3 of the GDPR, data subjects have various rights related to  their personal data, including the right to access, correct, restrict or delete the personal data about them that is being processed. Yembo's policy regarding GDPR Data Subject Rights is covered in our Privacy Policy .
 

Physical Security   

Yembo personnel are trained on policies and proper security steps that must  be taken with office equipment such as laptops, printers, mobile devices,  removable media, and visible office spaces (such as desks and screens). 
 

Access Restrictions    

Yembo restricts access to confidential information (including customer information), networks, and other resources based on job function and need.  Any requests for access privileges require approval from the business owner responsible for the data, and all requests and approvals are documented.  
 
Access to Customer Data within Yembo Software     
Yembo provides role-based access control which allows our customers to  restrict customer data access only to authorized personnel. The following roles are provided:
  • Employee: An Employee account has permission to view and edit surveys, and also has the ability to see customer information for all moves assigned to companies the  Employee belongs to. Employee accounts may be best suited for salespeople to review and provide pricing information to end  consumers. 
  • Consultant: Consultants are afforded the same permissions as Employees, but only for surveys they have been assigned to. If a Consultant is not personally assigned to a survey, they will be unable to see or interact with it in any way. 
  • Admin: An Admin account has all of the permissions as the Employee role, with the additional abilities to set company wide settings and to create and edit accounts  for their company. This account type is best used by a limited number  of people at the company to set up and control accounts for other staff at the company. 
Systems Access    
 For corporate access (i.e., for general access to Yembo’s internal corporate systems), requests for new or modified network access are submitted and logged. Yembo uses identity management software with two-factor authentication to confirm the identity of authorized users. Access to in-scope applications is reviewed quarterly.

 ‍Any additional access privileges (including administrator privileges) are  tailored to job function and need, and require approval from Yembo management. Access is reviewed monthly by each designated  administrator, and Yembo regularly verifies the completeness and accuracy of the review.  Access to Yembo’s source code repositories and cloud services such as Amazon Web Services (“AWS”) are restricted to authorized personnel and two-factor authentication is required.

Intrusion Detection    

Yembo employs cloud-based scanning for vulnerabilities such as server misconfigurations, missing patches, encryption weaknesses, and application bugs such as SQL injection and cross-site scripting. Customers may request a third-party report of Yembo’s compliance with its intrusion detection system at security@yembo.ai. 
 

Built-In Encryption     

Yembo’s cloud environments provide mandatory encryption both in transit and at rest. Neither form of encryption may be disabled. 
 

Data Encryption In-Transit      

Yembo uses industry-standard SSL encryption for data in transit. All SSL  configurations are routinely monitored by a third-party service to ensure compliance with current best practices. Each user session is secured in this manner with no exceptions. Customers may request a third-party report of  Yembo’s SSL encryption configuration via email at security@yembo.ai. 
 

Data Encryption at Rest       

Yembo stores data in MongoDB Atlas and AWS S3. Data is encrypted at rest in both deployments using 256-bit AES. Encryption at rest is provided for all deployments, for both textual data and multimedia uploads. 
 

Data Backups        

All data submitted to Yembo is backed up for resiliency to natural disasters or hardware failures. Databases are snapshotted automatically and backed up on AWS via MongoDB’s Atlas product. Multimedia uploads are stored in S3 and are backed up to another S3 bucket in a different geography. Access to data on AWS is controlled by AWS Identity Access Management roles and rights. For more information, see Yembo's Data Storage Policy.
 

Secure Disposal         

For more information on Yembo's policies for secure disposal, see Yembo's Data Storage Policy .

Vendors

 Yembo retains suppliers, subprocessors, and other vendors (“Vendors”) who  may from time to time perform services for Yembo or for customers on  Yembo’s behalf. Yembo only retains those Vendors that meet Yembo’s  stringent security criteria so as to ensure they provide at least the same level  of protection to customer data as does Yembo.
 ‍Additionally, Yembo maintains internal environments separate from production that do not contain customer data. Vendors are provided access only to these internal environments unless their job function explicitly requires access to customer data. Periodically, Yembo may ask a Vendor to re-evaluate its security posture to help ensure compliance with evolving privacy and security policies and procedures. A list of Yembo's subprocessors is available for those interested in reviewing the list.
 

Reporting a vulnerability

If you believe you have found a security vulnerability in any Yembo property, please report it to "security@yembo.ai" .We consider giving a reward for reporting vulnerabilities if, on review, our technology team agrees the vulnerability information provided has genuinely helped improve Yembo's security. Please include the following information when reporting a vulnerability: 
  1. Description of vulnerability
  2. Category - DoS, XSS, CSRF, Information Leak, SQL Injection, Authentication Bypass, Remote Code Execution, etc.
  3. Steps to reproduce the vulnerability
  4. Browser/OS/platform, if relevant
  5. How you found the bug - Using a free or commercial scanner, using a homemade tool, manually, etc.
  6. Do you believe this vulnerability is being actively exploited?