Younium Trust Center - FAQ
Answers to the most common security and compliance questions about Younium, covering data encryption, backups, GDPR, SSO, incident management, infrastructure, and penetration testing.
In the article, you will find answers about the most Frequently Asked Questions regarding our Trust Center. You can access the full Trust Center here: https://trust.younium.com/
Who is Younium?
Younium headquarters in Stockholm, Sweden. Younium offers a subscription management platform for B2B companies. With the Younium platform users manage, invoice and automate bookkeeping and revenue recognition for their customers subscriptions.
At Younium information security and protecting our customers data is of highest priority therefore we continuously work to communicate our efforts. Most of our efforts to do so is documented below. If you have any additional questions do not hesitate to reach out:
Product Security
What service login does Younium offer?
Younium customers can select to either use the built in user login with email and password login, or a SSO connection where users are authenticated using the customers own identity provider (IdP)
Multi-Factor Authentication
Younium customers can choose to enable multi-factor authentication for their access to the Younium service by using built in MFA support for authenticator app using QR code. If SSO is used, the MFA options provided by their identity provider can be used.
Single Sign On (SSO)
Younium offers SSO configuration using either SAML or Open ID Connect (OIDC). When using SSO, the options for multi-factor authentication are tied to the identity provider the customer connects to Younium.
Logging
Younium logs all application actions on the API level. Logs are stored with 30 days retention.
Data Security
Do Younium encrypt data at rest?
All customer data hosted by Younium is encrypted using Microsoft Azure hosted keys 256-bit AES .
The data transit is also encrypted at rest for application data, backups, and logs generated.
[https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest]
Do Younium encrypt data at Transit?
All Younium web applications and API services use HTTPS (HTTP over SSL).
Any requests made to the Younium services require TLS protocol set to 1.2 minimum (1.3 Supported)
A CDN global load balancing service handling the HTTPS certificate management for all publicly exposed services.
How do Younium backup customer data?
The built-in fault tolerance capabilities of Microsoft Azure protect customer data from individual server, network, and device failures. However, in order to protect customer data against user or application errors or a total loss of a region, Younium does also create a separate backup of the data.
Incremental or full database backups are encrypted and managed by Microsoft.
Additional geo-replicated backups are enabled on the critical cloud services hosting the customer’s data (Aligned with GDPR compliance).
Where is Younium data located?
Customer data is stored Globally, within Microsoft Azures cloud:
- EU Wester Europe; Amsterdam
- US East US; Virginia
The region is agreed upon onboarding to Younium
Failover Azure configuration data such as storage account replication is located in the Microsoft Azure North Europe region based in Ireland.
Incident management
How does Younium ensure recovery in case of a disaster?
The recovery time objection (RTO) defines the duration of time and service level acceptable to restore the services after an incident, this one is handled based on the severity and type of incident encountered.
The recovery point also called (RPO) in case of major data loss or corruption is strongly related to the Azure cloud services SLA and backup capabilities.
Example scenarios:
An extended outage of the Azure Cloud region West Europe
Application error corrupts data and/or causes data loss (Single or all tenants)
User (or application) error causes corrupt and irrecoverable data for a tenant
The most critical Younium services are geo-replicated across different Azure regions.
For example, the load balancer which routes the ingress network traffic can be routed to a passive instance in case of a major issue is detected.
What is Youniums data breach process?
Threat detection monitoring services are enabled to detect and notify the infrastructure administrators in case of suspicious data exfiltration and abnormal behavior detection.
Security breaches and vulnerabilities detected are assessed by the different team's stakeholders as soon as the information has been generated.
Once the severity level and scope of the issue have been assigned to the incident, all impacted customers will be contacted as soon as possible with the details and information available.
Follow-up notifications including updates and status updates will also be sent out until the incident resolution.
The severity level assigned during the initial assessment will then be discuss with the product and customer success managers before sending a nofication to the impacted customers.
Availability & Reliability
How does Younium ensure availability & reliability?
Monitoring
The availability and monitoring of the different services is managed via a combination of Datadog & Azure alerts.
Each Younium service has a dedicated set of monitoring alerts, these ones are based on fixed or dynamic metrics thresholds.
Custom logs generated by the application are processed and analyzed using the Datadog platform.
Scaling
The Younium architecture which combines a load balancer as an entry point and the Azure Paas services as the backend allows these different backend services to be scaled in case of performance issues or unexpected load increases.
Status
On the link below, the status and health of Younium and its integrations is presented. Current and past incidents are listed on this page.
https://status.eu.younium.com/
Infrastructure
What infrastructure is Younium using?
Azure Overview
Younium is using Microsoft Azure as a cloud hosting provider.
Azure is an industry-leading platform that provides built-in security controls and extensive auditing.
Test environments
Multiple environments are used for QA and validation purposes (none of these environments contains customer’s sensitive data).
CI/CD
The process involving the new release deployments is using automated CI/CD pipelines.
Before any changes can be deployed and hosted in the Younium cloud infrastructure any code changes has to go through a code review process and QA validation.
DevSecops
In addition to the required code review steps mentioned previously additional security scanning tools are included in the CI/CD process to detect vulnerabilities
Is Younium hosted globally?
Yes, Younium separates data into different environments hosted by Microsoft Azure the following geographic areas:
- EU Wester Europe; Amsterdam
- US East US; Virginia
The region is agreed upon onboarding to Younium.
Threat management
Does Younium perform penetration tests?
A yearly penetration test will be carried out by a third party. The outcome of the penetration test will be analysed and potential threats will be handled.
Other FAQs
Does Younium have a privacy policy?
yes, for more information about Privacy policy, visit Youniums public privacy policy
What is Youniums data and retention policy?
Younium stores customer data as long as the customer is using the service. If the customer will no longer use the service all customer data will be removed from the cloud. Before data is removed the data can be exported to the customer using a format agreed upon between the customer and Younium
Will Younium enclose customer data to third parties?
Younium will not disclose customer data to a third party (including law enforcement, other government entity or civil litigant) except by request from customer or required by law. If compelled to disclose customer data to a third party, we will promptly notify the customer and provide a copy of the demand, unless legally prohibited from doing so.
This policy is in line with Microsoft's policy for Microsoft Azure.
Read more here: https://www.microsoft.com/en-us/trustcenter
How is Younium ensuring GDPR compliance?
- Younium only processes our customers and their customers data according to the signed Data Processing Agreement
- Younium ensures strong security measures to prohibit unauthorized access to the personal data. This includes encryption of data and access control.