<img src="https://ws.zoominfo.com/pixel/zvVNNaJfija36JfACT7K" width="1" height="1" style="display: none;">

Success is built on trust. Trust starts with transparency.

Privacy & Compliance

Privacy policy

For more information about Privacy policy, visit Youniums public privacy policy

 

Data retention policy

Younium stores customer data as long as the customer is using the service. If the customer will no longer use the service all customer data will be removed from the cloud. Before data is removed the data can be exported to the customer using a format agreed upon between the customer and Younium

 

Customer data and 3rd parties

Younium will not disclose customer data to a third party (including law enforcement, other government entity or civil litigant) except by request from customer or required by law. If compelled to disclose customer data to a third party, we will promptly notify the customer and provide a copy of the demand, unless legally prohibited from doing so.

This policy is in line with Microsoft's policy for Microsoft Azure.

Read more here: https://www.microsoft.com/en-us/trustcenter

 

GDPR

How is Younium ensuring GDPR compliance

  • Younium only processes our customers and their customers data according to the signed Data Processing Agreement
  • Younium ensures strong security measures to prohibit unauthorized access to the personal data. This includes encryption of data and access control.

Compliance

Younium is built on Microsoft Azure cloud technology, more information on Azure Security and Compliance can be found here: Microsoft Service Trust Portal.

Product Security

Service login

Younium customers can select to either use the built in user login with email and password login, or a SSO connection where users are authenticated using the customers own identity provider (IdP)

Multi-Factor Authentication

Younium customers can choose to enable multi-factor authentication for their access to the Younium service by using built in MFA support for authenticator app using QR code. If SSO is used, the MFA options provided by their identity provider can be used.

Single Sign On (SSO)

Younium offers SSO configuration using either SAML or Open ID Connect (OIDC). When using SSO, the options for multi-factor authentication are tied to the identity provider the customer connects to Younium.

Logging

Younium logs all application actions on the API level. Logs are stored with 30 days retention.

Data Security

Data encrypted at REST

All customer data hosted by Younium is encrypted using Microsoft Azure hosted keys 256-bit AES .

The data transit is also encrypted at rest for application data, backups, and logs generated.

https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest

Data encrypted in Transit:

All Younium web applications and API services use HTTPS (HTTP over SSL).

Any requests made to the Younium services require TLS protocol set to 1.2 minimum (1.3 Supported)

A CDN global load balancing service handling the HTTPS certificate management for all publicly exposed services.

Data backup

The built-in fault tolerance capabilities of Microsoft Azure protect customer data from individual server, network, and device failures. However, in order to protect customer data against user or application errors or a total loss of a region, Younium does also create a separate backup of the data.

Incremental or full database backups are encrypted and managed by Microsoft.

Additional geo-replicated backups are enabled on the critical cloud services hosting the customer’s data (Aligned with GDPR compliance).

Location of customer data

All customer data is stored in Europe, currently in the Microsoft Azure West Europe region, located in the Netherlands.

Failover Azure configuration data such as storage account replication is located in the Microsoft Azure North Europe region based in Ireland.

Incident management

Disaster recovery

The recovery time objection (RTO) defines the duration of time and service level acceptable to restore the services after an incident, this one is handled based on the severity and type of incident encountered.

The recovery point also called (RPO) in case of major data loss or corruption is strongly related to the Azure cloud services SLA and backup capabilities.

Example scenarios:

An extended outage of the Azure Cloud region West Europe

Application error corrupts data and/or causes data loss (Single or all tenants)

User (or application) error causes corrupt and irrecoverable data for a tenant

The most critical Younium services are geo-replicated across different Azure regions.

For example, the load balancer which routes the ingress network traffic can be routed to a passive instance in case of a major issue is detected.

Data breach process

Threat detection monitoring services are enabled to detect and notify the infrastructure administrators in case of suspicious data exfiltration and abnormal behavior detection.

Security breaches and vulnerabilities detected are assessed by the different team's stakeholders as soon as the information has been generated.

Once the severity level and scope of the issue have been assigned to the incident, all impacted customers will be contacted as soon as possible with the details and information available.

Follow-up notifications including updates and status updates will also be sent out until the incident resolution.

The severity level assigned during the initial assessment will then be discuss with the product and customer success managers before sending a nofication to the impacted customers.

Availability & Reliability

Monitoring

The availability and monitoring of the different services is managed via a combination of Datadog & Azure alerts.

Each Younium service has a dedicated set of monitoring alerts, these ones are based on fixed or dynamic metrics thresholds.

Custom logs generated by the application are processed and analyzed using the Datadog platform.

Scaling

The Younium architecture which combines a load balancer as an entry point and the Azure Paas services as the backend allows these different backend services to be scaled in case of performance issues or unexpected load increases.

Status 

On the link below, the status and health of Younium and its integrations is presented. Current and past incidents are listed on this page.

https://status.eu.younium.com/

 

Infrastructure

Azure Overview

Younium is using Microsoft Azure as a cloud hosting provider.

Azure is an industry-leading platform that provides built-in security controls and extensive auditing.

Test environments

Multiple environments are used for QA and validation purposes (none of these environments contains customer’s sensitive data).

CI/CD

The process involving the new release deployments is using automated CI/CD pipelines.

Before any changes can be deployed and hosted in the Younium cloud infrastructure any code changes has to go through a code review process and QA validation.

DevSecops

In addition to the required code review steps mentioned previously additional security scanning tools are included in the CI/CD process to detect vulnerabilities

Threat management

Penetration test

A yearly penetration test will be carried out by a third party. The outcome of the penetration test will be analysed and potential threats will be handled.

Subprocessors
Sub-processor Purpose of the Processing Categories of Personal Data Location
Cyclr Integration platform to enable Younium to setup integrations to customer specific applications.

Employees or consultants of the Controller

Controller’s users authorized by Controller to use the Services provided by Processor

Invoice contact persons of Controllers customer

UK
Datadog Cloud scale monitoring.

Controller’s users authorized by Controller to use the Services provided by Processor

Europe
FrontEgg Authentication platform to enable extended login functionality

Controller’s users authorized by Controller to use the Services provided by Processor

Europe
Microsoft Provider of the cloud computing platform

Employees or consultants of the Controller

Controller’s users authorized by Controller to use the Services provided by Processor

Invoice contact persons of Controllers customer

Europe
Pendo Product analytics and guides in application.

Controller’s users authorized by Controller to use the Services provided by Processor

Europe
Sendgrid E-mail delivery services for internal email to the Controller’s users (eg. Password reset) Controller’s users authorized by Controller to use the Services provided by Processor USA (EU Standard Contractual Clauses)
StartDeliver Customer success tool to onboard and maintain customers. Controller’s users authorized by Controller to use the Services provided by Processor

Europe