#security & compliance
we care about security, so here's an overview of our security practices and those of the suppliers we work with.
###infrastructure providers
we're thoughtful about which service providers we work with, each of them have high standards for security and privacy
| service | purpose | certifications | documentation |
|---|---|---|---|
| vercel | application hosting | SOC 2 Type IIISO 27001 | security page ↗ |
| openai | ai analysis | SOC 2 Type IIGDPR compliant | security page ↗ |
| bright data | web data collection | ISO 27001GDPR compliantSOC 2 Type II | security page ↗ |
| stripe | payment processing | PCI DSS Level 1SOC 1 Type IISOC 2 Type IIISO 27001 | security page ↗ |
| github | code repository | SOC 2 Type IIISO 27001 | security page ↗ |
| neon | postgresql database | SOC 2 Type IIISO 27001GDPR compliant | security page ↗ |
###our security practices
| security measure | implementation | details |
|---|---|---|
| data encryption at rest | AES-256-GCM encryption for all database data via Neon | all data stored in our postgresql database is encrypted at rest using industry-standard AES-256 encryption |
| data backups | automated daily backups with point-in-time recovery via Neon | neon provides continuous backups with the ability to restore to any point in time within the retention period |
| api key encryption | AES-256-GCM with PBKDF2 key derivation (100,000 iterations) | api keys are encrypted with unique salt and initialization vector before storage, never stored in plain text |
| data in transit | TLS 1.3 encryption for all connections | all data transmitted between clients, servers, and databases uses TLS 1.3 encryption |
| authentication | NextAuth.js with bcrypt password hashing | passwords are hashed using bcrypt with 10 rounds, secure session management with httpOnly cookies |
| authorization | role-based access control with organization isolation | all api routes validate user permissions and filter data by organization to prevent cross-tenant data access |
| security headers | comprehensive security headers on all responses | X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy |
###continuous security monitoring
automated vulnerability scanning
we use snyk for continuous security scanning of our codebase and dependencies.
scan frequency:weekly automated scans + every code change
coverage:OWASP Top 10 vulnerabilities, dependency vulnerabilities, license compliance
remediation time:target 1 business day for all severity levels
compliance support:SOC 2, ISO 27001, PCI DSS 4.0
###additional security measures
• rate limiting: api requests are rate-limited per organization to prevent abuse• ddos protection: vercel provides automatic ddos protection at the edge network level• email verification: all user accounts require email verification before activation• password requirements: enforced strong password policy (minimum 12 characters, uppercase, lowercase, number, special character)• data minimization: we only collect and store data necessary for service operation• opt-out capability: users can request removal from our enrichment database at any time
###security concerns or questions
if you have security concerns, questions about our security practices, or would like to report a vulnerability, please contact us at:
support@yolodex.ailast updated: november 2025