Yondervast Beta 1.0.

Legal · Security

Security at Yondervast

Updated 12 May 2026.

Encryption

  • In transit: TLS 1.3 across all public endpoints and internal service-to-service hops. HSTS is enforced on yondervast.ai and all subdomains.
  • At rest: Postgres uses AES-256 server-side encryption (Supabase). Object storage (Cloudflare R2) is AES-256 server-side encrypted.
  • Secrets: API keys live in Vercel encrypted environment variables and are never logged or exposed to the browser.

Access control

  • Row-Level Security on every Postgres table. No client can read another customer’s rows even if they bypass the API layer.
  • Role-based access for organisation members (Admin, Member, Read-only).
  • MFA available on every account; mandatory MFA enforceable at the organisation level for Enterprise plans.
  • Internal staff access is logged and scoped to support investigation only. Production secrets are accessible to at most two engineers.

Authentication

  • Email + password with secure hashing (Supabase Auth, bcrypt).
  • Magic-link sign-in.
  • TOTP-based MFA.
  • SAML SSO available on Enterprise plans (planned 2026 Q3).

Data isolation

Each organisation is a separate Postgres row-level tenant. Object storage paths are namespaced to the project ID, signed URL lifetimes are capped at 1 hour by default, and direct bucket listing is disabled.

Backups & DR

  • Daily Postgres point-in-time recovery for 7 days.
  • Object storage cross-region replication on Enterprise plans.
  • RPO < 24 hours, RTO < 4 hours.

Monitoring

Vercel runtime logs, Supabase audit logs, and per-route latency dashboards. Production is paged on availability or error-rate anomalies.

Vulnerability management

  • Dependencies audited weekly (npm audit / GitHub Dependabot). Critical CVEs are patched within 48 hours.
  • Static analysis on every PR (TypeScript strict, ESLint, Zod input validation on every API route).
  • Annual third-party penetration test (Enterprise customers can request the report under NDA).

Responsible disclosure

Found a security issue? Email security@yondervast.ai with details and a reproduction. We aim to acknowledge within 48 hours and ship a fix within the agreed timeline. We do not pursue legal action against good-faith security research.

Compliance

We operate under UK GDPR and EU GDPR. SOC 2 Type II audit is in progress (target 2026 Q4). HIPAA / FedRAMP are not currently supported.

Contact

security@yondervast.ai · Yondervast LTD, United Kingdom.