Trust isn't a logo grid. It's architecture you can audit.
Yoetz.ai is built for InfoSec, HRIS, and procurement teams who don't take 'trust us' for an answer. Here's exactly how the platform handles your tenant credentials, configuration data, and audit evidence — with the documents your reviewers will ask for.
Eight controls your auditors will check.
Every one of these is enforced in code or infrastructure — not policy.
Read-only by architecture
Yoetz.ai cannot write to your tenant. Write operations are blocked at the connector layer regardless of credential scope. Every outbound call goes through a read-only guard that rejects any non-GET/non-query method before it leaves our network.
Row-level security on every table
Database-layer access policies enforce per-tenant isolation across every table — credentials, scans, findings, exports, audit logs. No tenant can read another tenant's data even if application code has a bug. Enforced by Postgres, not by us.
Credentials encrypted at rest
HR platform credentials are encrypted with AES-256-GCM before storage. The encryption key is held in a separate secret store, never in the database. Credentials are decrypted only in memory at scan time, used to obtain a short-lived OAuth token, and never logged.
Zero retention on raw HR records
Findings and configuration metadata are stored. Raw worker records, payroll data, salary figures, and benefits enrollments are never persisted. Where user identifiers appear in configuration data, they are masked at the source before analysis.
DPA signed before any scan
Every customer signs a Data Processing Agreement before the first scan runs. The DPA is enforced in-product — no scan can be initiated without a current signed agreement on file. Standard EU SCCs and UK addendum included for cross-border transfers.
Full audit log of every action
Every scan, export, share link, role change, and outbound API call is recorded with actor, timestamp, IP, and outcome. Logs are retained for 90 days and accessible to your account administrator. Designed to satisfy Workday Design Approved and SAP ARC review.
Encrypted in transit, everywhere
All connections use HTTPS with TLS 1.2 or higher. HSTS is enforced on every endpoint. Cloudflare fronts the web tier; Railway hosts the scan engine — both enforce TLS at the platform level. No internal service-to-service hop happens in plaintext.
Tenant isolation at the engine level
Concurrent scans run in isolated workers — they cannot share state, credentials, or scan results. A misconfiguration in one customer's connector cannot affect another customer's scan. Each scan job is sandboxed and torn down on completion.
Where we are, plainly stated.
No vague badges. Each item below tells you what's certified, what's in progress, and what's roadmap.
SOC 2 Type II
Audit firm engaged. Type I observation period underway with target completion in the next reporting cycle. Letter of engagement available on request under NDA.
GDPR
Data Processing Register, lawful basis assessment, and data flow documentation maintained and available to controllers under our DPA.
ISO 27001
Security architecture, access controls, and incident response procedures aligned to ISO 27001 controls. Formal certification on the 2026 roadmap.
UK & EU data residency
EU/UK customers can request EU-region database hosting on Annual and Enterprise plans. US customers default to AWS us-east-1.
Sub-processors
Every third party that touches customer data, what they do, and where.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Managed Postgres + auth | AWS us-east-1 (EU available) |
| Railway | Scan engine workers | US-West |
| Cloudflare | Web app, DNS, WAF, TLS | Global edge |
| Anthropic | Advisory summaries (findings only — no raw HR data) | US |
| Stripe | Billing & payment processing | US / EU |
| Resend | Transactional email | US |
Customers receive 30 days' notice before a new sub-processor with access to customer data is added.
The documents your security review needs.
Available on request. Most are returned within one business day.
Data Processing Agreement (DPA)
EU-style DPA with Standard Contractual Clauses and UK addendum. Required before the first scan.
Security Overview (one-pager)
Architecture summary, data flow diagram, sub-processor list, and incident response posture.
Penetration test summary
Most recent third-party penetration test executive summary, available under NDA.
Vendor security questionnaire
Pre-completed CAIQ-Lite responses for procurement and InfoSec review.
Responsible disclosure
Found a vulnerability? Email security@yoetz.ai. We acknowledge within 1 business day, triage within 3, and credit researchers in our hall of fame on request. Please do not run automated scans against production tenants.
Incident notification
In the event of a confirmed incident affecting customer data, we notify designated account contacts within 24 hours with scope, impact, and remediation status. Customers receive structured updates until full resolution.
Need something not listed here?
Custom contracts, regional hosting, BAA, or bespoke security review — talk to us. We move at procurement speed when procurement needs to move.
We respond to all security inquiries within 1 business day.