General Security and Access Control

Yuki is committed to maintaining the highest standards of information security, privacy, and compliance across all layers of its platform. All customer data is handled as potentially sensitive, and every process, from authentication to monitoring, is designed to ensure protection, isolation, and traceability.

Data Sensitivity and Metadata

Yuki assumes that all customer data interacting with the platform may contain PII or sensitive information, and it is therefore treated as such. The Yuki control plane only tracks non-sensitive metadata such as query hashes and execution statistics. No raw data or user content is ever stored or processed within Yuki’s systems.

All operations within Yuki are authenticated and authorized using temporary tokens, which can be invalidated upon request. This ensures traceability, security, and full control for customers at all times.

Compliance and Standards

Yuki’s security controls and policies align with globally recognized standards, including:

  • SOC 2 Type II

  • ISO 27001 (Annex A: A.10.1.1, A.10.1.2, A.14.1.2, A.18.1.5)

These frameworks define how Yuki implements cryptographic controls, manages encryption keys, and enforces confidentiality, integrity, and non-repudiation of customer information.

Encryption Controls

Yuki applies cryptographic protection across all systems and communication channels.

System / Information Type
Cryptographic Tool
Algorithm
Key Size

Data Encryption Keys

OpenSSL

AES-256

256-bit

PKI for Authentication

OpenSSL

AES-256

256-bit

Website SSL Certificate

OpenSSL, CERT

SHA-256 (with RSA)

256-bit

All keys are securely generated, rotated, stored, and backed up in accordance with internal key management policies. Keys are rotated at least once every 12 months and protected from unauthorized access, loss, or modification.

Access Control

Access to Yuki production systems is disabled by default and requires explicit approval before being temporarily granted. Every access request is reviewed by Yuki’s security team on a case-by-case basis.

Administrative access is only permitted when required - such as for forensic analysis or manual disaster recovery - and is automatically revoked when the operation is complete. All access to production systems is logged and subject to ongoing monitoring and review.

Data Separation

Customer data is logically separated at the database or datastore level using a unique customer identifier. This separation is enforced at the API layer, where:

  • The client must authenticate using its designated account.

  • The customer’s unique identifier is included in the access token.

  • All subsequent API and database queries are restricted to data belonging to that identifier.

This design guarantees that each customer can access only their own data, maintaining full isolation within Yuki’s infrastructure.

Monitoring and Alerts

Yuki continuously monitors its cloud environment to detect anomalies, potential failures, or unauthorized activity. Monitoring and alerting are handled through:

  • AWS CloudWatch, which observes the entire cloud service operation and triggers alerts when system failures or alarms occur.

  • Security agents installed on production systems that:

    • Track system activities

    • Generate alerts for suspicious behavior

    • Report vulnerability findings to a centralized management console

Key personnel are automatically notified by text, chat, or email when an alert or failure is detected, ensuring rapid response and remediation.

Data Protection

All production systems that store or process Yuki customer data follow strict access control and monitoring guidelines:

  • Data is encrypted at rest and in transit.

  • Access to production environments is disabled by default and only granted temporarily upon security review.

  • All access and system activity are logged and continuously monitored.

  • Customer data is stored on encrypted volumes, and encryption keys are managed and protected from unauthorized access.

Data in Transit

All data transmitted between Yuki components or third-party services is encrypted end-to-end using strong key exchange and cipher protocols. Communication between the Yuki Proxy and Yuki Engine occurs over HTTPS and is authenticated with JWT tokens.

External and internal data transfers occur only when strictly necessary for system functionality or business operations.

Physical Security

Yuki relies on Amazon Web Services (AWS) for hosting and infrastructure. Physical and environmental security are handled entirely by AWS, which maintains compliance with:

  • SOC 1, SOC 2, SOC 3

  • PCI-DSS

  • ISO 27001

These certifications ensure the highest standards of physical security, redundancy, and operational integrity across Yuki’s underlying infrastructure.

Next Step

→ Continue to Encryption Keys to review Yuki’s encryption and key management setup.

PreviousEnable WarehousesNextEncryption Keys

Last updated