Data retention policy
Younium stores customer data as long as the customer is using the service. If the customer will no longer use the service all customer data will be removed from the cloud. Before data is removed the data can be exported to the customer using a format agreed upon between the customer and Younium
Customer data and 3rd parties
Younium will not disclose customer data to a third party (including law enforcement, other government entity or civil litigant) except by request from customer or required by law. If compelled to disclose customer data to a third party, we will promptly notify the customer and provide a copy of the demand, unless legally prohibited from doing so.
This policy is in line with Microsoft's policy for Microsoft Azure.
Read more here: https://www.microsoft.com/en-us/trustcenter
How is Younium ensuring GDPR compliance
Younium is built on Microsoft Azure cloud technology, more information on Azure Security and Compliance can be found here: Microsoft Service Trust Portal.
Younium customers can select to either use the built in user login with email and password login, or a SSO connection where users are authenticated using the customers own identity provider (IdP)
Younium customers can choose to enable multi-factor authentication for their access to the Younium service by using built in MFA support for authenticator app using QR code. If SSO is used, the MFA options provided by their identity provider can be used.
Single Sign On (SSO)
Younium offers SSO configuration using either SAML or Open ID Connect (OIDC). When using SSO, the options for multi-factor authentication are tied to the identity provider the customer connects to Younium.
Younium logs all application actions on the API level. Logs are stored with 30 days retention.
Data encrypted at REST
All customer data hosted by Younium is encrypted using Microsoft Azure hosted keys 256-bit AES .
The data transit is also encrypted at rest for application data, backups, and logs generated.
Data encrypted in Transit:
All Younium web applications and API services use HTTPS (HTTP over SSL).
Any requests made to the Younium services require TLS protocol set to 1.2 minimum (1.3 Supported)
A CDN global load balancing service handling the HTTPS certificate management for all publicly exposed services.
The built-in fault tolerance capabilities of Microsoft Azure protect customer data from individual server, network, and device failures. However, in order to protect customer data against user or application errors or a total loss of a region, Younium does also create a separate backup of the data.
Incremental or full database backups are encrypted and managed by Microsoft.
Additional geo-replicated backups are enabled on the critical cloud services hosting the customer’s data (Aligned with GDPR compliance).
Location of customer data
All customer data is stored in Europe, currently in the Microsoft Azure West Europe region, located in the Netherlands.
Failover Azure configuration data such as storage account replication is located in the Microsoft Azure North Europe region based in Ireland.
The recovery time objection (RTO) defines the duration of time and service level acceptable to restore the services after an incident, this one is handled based on the severity and type of incident encountered.
The recovery point also called (RPO) in case of major data loss or corruption is strongly related to the Azure cloud services SLA and backup capabilities.
An extended outage of the Azure Cloud region West Europe
Application error corrupts data and/or causes data loss (Single or all tenants)
User (or application) error causes corrupt and irrecoverable data for a tenant
The most critical Younium services are geo-replicated across different Azure regions.
For example, the load balancer which routes the ingress network traffic can be routed to a passive instance in case of a major issue is detected.
Data breach process
Threat detection monitoring services are enabled to detect and notify the infrastructure administrators in case of suspicious data exfiltration and abnormal behavior detection.
Security breaches and vulnerabilities detected are assessed by the different team's stakeholders as soon as the information has been generated.
Once the severity level and scope of the issue have been assigned to the incident, all impacted customers will be contacted as soon as possible with the details and information available.
Follow-up notifications including updates and status updates will also be sent out until the incident resolution.
The severity level assigned during the initial assessment will then be discuss with the product and customer success managers before sending a nofication to the impacted customers.
The availability and monitoring of the different services is managed via a combination of Datadog & Azure alerts.
Each Younium service has a dedicated set of monitoring alerts, these ones are based on fixed or dynamic metrics thresholds.
Custom logs generated by the application are processed and analyzed using the Datadog platform.
The Younium architecture which combines a load balancer as an entry point and the Azure Paas services as the backend allows these different backend services to be scaled in case of performance issues or unexpected load increases.
On the link below, the status and health of Younium and its integrations is presented. Current and past incidents are listed on this page.
Younium is using Microsoft Azure as a cloud hosting provider.
Azure is an industry-leading platform that provides built-in security controls and extensive auditing.
Multiple environments are used for QA and validation purposes (none of these environments contains customer’s sensitive data).
The process involving the new release deployments is using automated CI/CD pipelines.
Before any changes can be deployed and hosted in the Younium cloud infrastructure any code changes has to go through a code review process and QA validation.
In addition to the required code review steps mentioned previously additional security scanning tools are included in the CI/CD process to detect vulnerabilities
A yearly penetration test will be carried out by a third party. The outcome of the penetration test will be analysed and potential threats will be handled.
|Sub-processor||Purpose of the Processing||Categories of Personal Data||Location|
|Microsoft||Provider of the cloud computing platform||
Employees or consultants of the Controller
Controller’s users authorized by Controller to use the Services provided by Processor
Invoice contact persons of Controllers customer
|Sendgrid||E-mail delivery services for internal email to the Controller’s users (eg. Password reset)||Controller’s users authorized by Controller to use the Services provided by Processor||USA (EU Standard Contractual Clauses)|