Yarnit places a strong emphasis on safeguarding customer data, with its Security team overseeing the implementation and management of the security program.
We takes security compliance seriously, continuously monitoring and enhancing the effectiveness of their security controls. We also collaborate with a reputable third-party for independent assessments, and any findings from internal and external audits are shared with executive management.
Yarnit takes responsibility for several crucial security aspects, including access control. Their IT team follows the principles of least privilege and role-based access control, granting employees only the necessary access and permissions for their job responsibilities. Regular user access reviews are conducted, and production access requires multi-factor authentication (MFA). Employee access is promptly revoked upon termination.
For cloud hosting, Yarnit relies on AWS as their provider, ensuring high availability through serverless instances. Data is stored in region US-East-1, and proper encryption methods are applied both at rest and in transit using AES256 and TLS1.2+/TLS1.3 protocols.
Security measures extend to endpoints, with company-managed workstations featuring disk encryption, anti-malware software, and idle lockout. Employee workstations are continuously monitored to comply with corporate policy and maintain up-to-date patches. Centralized logging enables monitoring for potential security breaches, and the Security team promptly responds according to their incident response plan.
Yarnit's network security is fortified with firewalls configured to deny incoming traffic by default. Regular reviews of firewall rules are conducted, and the Intrusion Detection System (IDS) alerts on-call personnel for investigation and triage. Additionally, Yarnit employs a Web Application Firewall (WAF) and CDN for protection against web vulnerabilities and faster access.
Personnel play a crucial role in maintaining security. All employees, contractors, and temporary workers must undergo a background check and sign confidentiality agreements before their start date. Security awareness training is mandatory upon hiring and annually, covering various topics. Violations of corporate policies may result in disciplinary action, including termination.
Secure development practices are ingrained in Yarnit's Software Development Lifecycle (SDLC), including peer code review and version control with MFA protection. Third-party partners, or subprocessors, are continuously monitored to meet Yarnit's security standards.
While Yarnit assumes responsibility for most security controls, customers have their part to play in securing their user accounts and the data they enter into the application. Yarnit handles limited customer PII (name and email) by default, but customers are ultimately responsible for determining the sensitivity of their data. It's essential to note that Yarnit is not PCI or HIPAA compliant, and customers should avoid providing cardholder information and protected health information.
In conclusion, Yarnit prioritizes the security and privacy of customer information, as it aligns with their mission to support the success of their customers. By maintaining a strong security program and adhering to industry best practices, they aim to build and retain the trust of their users."