Yess adopts stringent authentication and authorization measures to secure access to its systems. We mandate the use of Single Sign-On (SSO) platforms alongside phishing-resistant FIDO2 Multi-Factor Authentication (MFA) for all employee interactions with Yess’ systems. For cloud environment access, Yess employs IAM roles and ephemeral tokens, enhancing security and minimizing risk. Access to both development and production environments is tightly controlled, enforcing strict access controls.

Yess’ cloud security architecture employs immutable infrastructure managed via infrastructure-as-code to ensure a secure and controlled production environment. Our SDLC process, integrated with an automated CI/CD pipeline, enforces strict configuration management, security checks, and audit trails, with mechanisms in place to detect and escalate any unauthorized changes. We leverage cloud-native security features and robust authentication and authorization controls to limit remote access and maintain secure boundaries across our infrastructure. Additionally, Yess utilizes Amazon Web Services for its reliable hosting and computing capabilities, benefiting from Amazon's comprehensive compliance with SSAE-16 SOC 1, 2, and 3, ISO 27001, and FedRAMP/FISMA standards, ensuring our web servers and databases are housed in highly secure data centers.

Yess ensures the security of data within its service by implementing encryption both in transit and at rest. We utilize AES-256, an industry-standard encryption algorithm, for securing database instances, including read replicas and backups. Additionally, all data in transit is protected via TLS encryption. For encryption key management, Yess employs cloud-native solutions like AWS KMS, ensuring secure storage and handling of keys. Our automated controls are designed to prevent the storage or transfer of keys through insecure or unauthorized methods, maintaining the highest level of data protection.

Yess has implemented a robust monitoring and security information event management (SIEM) system across its architecture, collecting and analyzing data from various environments to identify potential threats. Based on predefined criteria, alerts are automatically sent to relevant stakeholders through internal communication tools, ensuring swift assessment and action according to the alert's priority. Our global security team is equipped to quickly address these alerts, leveraging a combination of automated processes and human expertise to maintain the integrity and security of our systems.

Yess undergoes annual independent SOC 2, Type II audits for security, availability, and confidentiality.

All Yess employees and contractor laptops are equipped with software to scan for malicious threats.

Yess performs at least one penetration test per year, which is conducted by accredited and completely independent information security companies. Vulnerabilities, if found, are addressed immediately.

Yess places a strong emphasis on the continuous education of its employees and contractors regarding security and privacy best practices. From the moment of hire, and at least annually thereafter, team members are rigorously trained in confidentiality, data security, and responsible data handling protocols. Our comprehensive security awareness program includes regular training sessions focused on information security and data privacy, along with up-to-date advice on countering emerging threats. Additionally, we provide customized guidance and procedures tailored to specific team roles, empowering our employees to integrate secure practices into their daily operations.