Yazi Security and Data Management Policies
Access Control Policy
Introduction
Yazi ensures that access to its systems and data is tightly controlled and monitored to maintain security and compliance with relevant regulations. This policy outlines the access control mechanisms in place.
Access Control Principles
Role-Based Access Control (RBAC): Access is granted based on the role of the individual within the organisation, ensuring that users only have access to the data and systems necessary for their role.
Least Privilege: Users are granted the minimum level of access required to perform their job functions.
Separation of Duties: Critical tasks are divided among multiple individuals to prevent fraud and errors.
Access Levels
Administrator: Full access to all systems and data, including the ability to grant and revoke access.
Manager: Access to management-related data and systems, with the ability to approve access requests.
User: Access to specific data and systems required for daily operations.
Guest: Limited access for temporary or external users, restricted to specific, non-sensitive data.
Granting Access
Access Request: Users must submit an access request form, specifying the required access level and justification.
Approval Process: Access requests are reviewed and approved by a manager and an administrator.
Access Provisioning: Once approved, access is granted by the administrator and logged for auditing purposes.
Monitoring and Auditing
Access Logs: All access events are logged, including login attempts, access to sensitive data, and changes to access permissions.
Regular Audits: Access logs are reviewed regularly to detect any unauthorised access or anomalies.
Incident Response: Any suspicious activity is investigated immediately, and corrective actions are taken.
Environment Access Policy
Introduction
Yazi maintains separate environments for development, testing, and production to ensure security and stability. This policy outlines the access controls for each environment.
Environment Overview
Development Environment: Used for coding and initial testing of new features.
Testing Environment: Used for quality assurance and performance testing.
Production Environment: Used for live operations and customer-facing services.
Access Controls
Development Environment: Access is limited to developers and authorised personnel. All changes are logged and reviewed.
Testing Environment: Access is restricted to QA engineers and authorised personnel. Data used in this environment is anonymised.
Production Environment: Access is strictly controlled and limited to senior administrators. All access events are logged and audited.
Access Procedures
Requesting Access: Users must submit an access request form, specifying the environment and justification.
Approval Process: Access requests are reviewed and approved by a manager and an administrator.
Provisioning Access: Access is granted by the administrator and logged for auditing purposes.
Monitoring and Auditing
Access Logs: All access events are logged and reviewed regularly.
Incident Response: Any unauthorised access is investigated immediately, and corrective actions are taken.
Data Ownership Policy
Introduction
This policy defines the ownership and responsibilities related to data collected and processed by Yazi.
Data Ownership
Client Ownership: All data collected through Yazi's platform is owned by the client. Yazi acts as a data processor on behalf of the client.
Responsibility: Clients are responsible for ensuring the data they collect complies with relevant laws and regulations.
Yazi Responsibilities
Data Processing: Yazi processes data according to client instructions and ensures data security and privacy.
Compliance: Yazi complies with all relevant data protection laws and regulations.
Support: Yazi provides tools and support for clients to manage their data effectively.
Data Anonymisation Guide
Introduction
This guide outlines the methods used by Yazi to anonymise data, ensuring privacy and compliance with data protection regulations.
Anonymisation Techniques
Data Masking: Replacing sensitive data with fictional but realistic data.
Aggregation: Combining data from multiple sources to prevent identification of individuals.
Tokenisation: Replacing sensitive data with unique identifiers that have no meaningful value outside the system.
Implementation Process
Identify Sensitive Data: Determine which data elements need to be anonymised.
Select Technique: Choose the appropriate anonymisation technique based on the data and use case.
Apply Anonymisation: Implement the chosen technique and verify that the data is anonymised.
Review and Update: Regularly review the anonymisation process and update as necessary to ensure continued compliance.
Compliance
Regulations: Ensure all anonymisation processes comply with relevant data protection laws, such as GDPR.
Auditing: Conduct regular audits to verify that anonymisation techniques are effective and compliant.
Yazi Cloud Hosting Document
Introduction
Yazi uses AWS for cloud hosting, providing a secure and scalable environment for its platform.
Cloud Hosting Overview
Provider: AWS
Regions: Data is stored in various AWS regions based on client requirements, including US East (N. Virginia), EU (Frankfurt), and APAC (Sydney).
Services Used: EC2, S3, RDS, DynamoDB, and other AWS services.
Security Measures
Encryption: All data is encrypted at rest and in transit using industry-standard encryption techniques.
Access Control: Strict access controls are enforced using AWS IAM roles and policies.
Monitoring: Continuous monitoring of AWS resources using CloudWatch, GuardDuty, and other AWS security tools.
Compliance
Certifications: AWS compliance certifications, such as ISO 27001, SOC 2, and GDPR, are leveraged to ensure data security.
Audits: Regular security audits are conducted to ensure compliance with relevant regulations.
Data Handling Policy
Introduction
This policy outlines how Yazi handles personal and regulated data to ensure privacy and compliance with data protection laws.
Data Collection
Consent: Data is collected only with explicit consent from individuals.
Purpose: Data is collected for specific, legitimate purposes and not used for any other purposes without additional consent.
Data Storage
Encryption: All personal and regulated data is encrypted at rest and in transit.
Access Control: Access to data is restricted based on role and necessity.
Data Processing
Minimisation: Only the minimum amount of data necessary for the intended purpose is processed.
Anonymisation: Data is anonymised whenever possible to protect individual privacy.
Data Deletion
Retention Period: Data is retained only for as long as necessary to fulfil the purposes for which it was collected.
Deletion Process: Data is securely deleted when no longer needed, using industry-standard methods to ensure it cannot be recovered.
Compliance
Regulations: All data handling practices comply with relevant data protection laws, such as GDPR and CCPA.
Auditing: Regular audits are conducted to ensure compliance and identify areas for improvement.
Data Collection Policy
Introduction
This policy describes how Yazi collects data, including user preferences, usage behaviour, location, and device type.
Data Collection Methods
Active Collection: Data collected directly from users through forms, surveys, and other input methods.
Passive Collection: Data collected automatically through cookies, web beacons, and similar technologies.
Types of Data Collected
User Preferences: Information about user settings and preferences.
Usage Behaviour: Data on how users interact with the platform, including page views, clicks, and time spent.
Location: Geographic location data based on IP address or GPS.
Device Type: Information about the device used to access the platform, such as operating system and browser.
Data Use
Analytics: Data is used to improve the platform and enhance user experience.
Personalisation: Data is used to provide personalised content and recommendations.
Security: Data is used to detect and prevent fraudulent activity.
Compliance
Consent: Users are informed about data collection practices and must provide consent.
Privacy Policy: A detailed privacy policy is available to users, explaining how data is collected, used, and protected.
Data Encryption Policy
Introduction
This policy outlines the encryption methods used by Yazi to protect data at rest and in transit.
Encryption at Rest
Techniques: Data is encrypted using AES-256 encryption.
Key Management: Encryption keys are managed using AWS Key Management Service (KMS) to ensure secure storage and rotation.
Encryption in Transit
Techniques: Data is encrypted using TLS 1.2 or higher during transmission.
End-to-End Encryption: Ensures data remains encrypted from the source to the destination.
Implementation
Systems: All databases, file storage systems, and backups are encrypted.
Communication: All API calls, web traffic, and data transfers are encrypted.
Compliance
Standards: Encryption practices comply with industry standards such as NIST and ISO.
Audits: Regular security audits are conducted to ensure encryption methods remain effective and compliant.
Last updated