Built secure from the ground up
Construction workforce data is sensitive. We treat security as a first-class feature, not an afterthought.
GDPR Compliant
Active
EU Data Residency
Active
SOC 2 Type II
In Progress
ISO 27001
Planned 2026
Encryption
- All data encrypted at rest using AES-256
- All data in transit protected by TLS 1.3
- Database backups encrypted with separate keys
- Passwords hashed with bcrypt (cost factor 12+)
Infrastructure
- Hosted exclusively on EU servers (Frankfurt, Germany)
- No data stored outside the European Economic Area
- Automated backups every 6 hours, 30-day retention
- Infrastructure-as-code, reproducible deployments
Access Control
- Role-based access: Admin, Manager, Viewer
- Two-factor authentication for all staff accounts
- Audit log of all data access and mutations
- Principle of least privilege enforced throughout
Incident Response
- 24/7 uptime monitoring with sub-minute alerting
- Personal data breach notification within 48 hours
- Incident postmortems published at status.yeydigital.eu
- Annual penetration testing by third-party firms
Multi-tenant isolation
Every Yey account is fully isolated at the database level using tenant-scoped queries enforced on every API operation. It is architecturally impossible for data from one company to appear in another company's account. All queries are parameterized to prevent SQL injection, and our API enforces authentication on every endpoint with JWT tokens that include tenant context.
Responsible Disclosure
If you discover a security vulnerability in Yey, please report it to us responsibly. We'll acknowledge within 24 hours, investigate promptly, and keep you updated on our fix timeline.
security@yeydigital.euPGP key available on request