SVG

Data security and privacy

Data encryption

Yarnmill utilizes industry-standard practices concerning the encryption of data when stored and while in transmission. Yarnmill also have a documented cryptography policy that outlines the requirements for encrypting data and transmissions.

Encryption at rest

All data, including backups, is encrypted at-rest using AES-256 encryption.

Encryption in transit

Data is encrypted while moving between us and the browser with Transport Level Security (TLS) 1.2.

Secure Sockets Layer

Secure Sockets Layer (SSL) certificates are issued and managed through Amazon Web Services, and HTTP Strict Transport Security (HSTS) is enabled. We score an A+ rating on Qualys SSL Labs tests.

Data retention

Deleting data

Users can delete projects and project data within Yarnmill if they have the correct access rights. Deleted project data is kept for up to 90 days before it is permanently deleted. It can take up to 60 days for all data to be removed from backups.

Deleting workspaces

Users can delete their entire Yarnmill workspace if they have the correct access rights. This will delete all data that you have provided to Yarnmill. It can take up to 60 days for all data to be removed from backups.

Subscription cancellation

Following the cancellation of a Yarnmill subscription, you will have at least 30 days to download your customer data from Yarnmill. After this period, we have no obligation to maintain or provide any customer data to you. We may delete all customer data provided to us after this period.

Free subscriptions

For Free Plans, data will be retained in the workspace until a cancellation is submitted (in accordance with Section 8.3 of our Master Subscription Agreement). Yarnmill reserves the right to, upon prior written notice to Customer, delete accounts for Free Plans (and all Customer Data contained therein) that have been inactive for more than 90 days.

Subprocessors

To support delivery of our Services, Yarnmill may engage and use data processors with access to certain Customer Data or Personal Information (each, a “Subprocessor”). This page provides information about each Subprocessor. Please email security@yarnmill.com if you have any questions.

Amazon Web Services aws.amazon.com

  • Location: Seattle, United States (or Ireland where Customer elects to store certain workspace data in the EU – see further information about our data storage options here).
  • Security certifications: Privacy Shield, ISO27001, SOC3.
  • Data processed: User-added content
  • Use: Video processing, data storage
  • DPA signed: Yes – incorporated into terms.

Vercel vercel.com

  • Location: Covina, United States here).
  • Security certifications: ISO27001, SOC2.
  • Data processed: User-added content
  • Use: Data storage, backups, CDN, DNS, SSL, domain management, emails.
  • DPA signed: Yes – incorporated into terms.

Google Cloud cloud.google.com

  • Location: Seattle, United States (or Ireland where Customer elects to store certain workspace data in the EU – see further information about our data storage options here).
  • Security certifications: Privacy Shield, ISO27001, SOC3.
  • Data processed: Anonymized content, user-added content, email address, IP address.
  • Use: Data storage, backups, CDN, DNS, SSL, domain management, emails.
  • DPA signed: Yes – incorporated into terms.

Recall recall.ai

  • Location: San Francisco, United States.
  • Security certifications: ISO27001.
  • Data processed: Video & audio.
  • Use: Live streaming video.
  • DPA signed: No

MUX mux.com

  • Location: San Francisco, United States.
  • Security certifications: ISO27001.
  • Data processed: Video.
  • Use: Live streaming video.
  • DPA signed: Yes – incorporated into terms.

AssemblyAI assembly.ai

  • Location: San Francisco, United States (or Ireland where Customer elects to store certain workspace data in the EU – see further information about our data storage options here).
  • Security certifications: SOC2.
  • Data processed: Audio.
  • Use: Audio transcription.
  • DPA signed: No.

Stripe stripe.com

  • Location: San Francisco, United States.
  • Security certifications: PCI.
  • Data processed: Billing contact name, email, address, card details.
  • Use: Payment processing and subscription management.
  • DPA signed: Yes – 18 December 2020.

Data breach disclosure

Data breaches are an unfortunate reality that affect several organizations every year.

As a result, Yarnmill is committed to taking all commercially reasonable measures to secure your customer data. This is why we are overwhelmingly transparent and about our security practices to give you the confidence in our infrastructure, processes, tooling, and policies to safeguard your data.

Yarnmill has not had an identified data breach since commencing operations. In the unlikely event of a data breach, Yarnmill is prepared to take steps to limit the effects of any data breach and to assist any customers potentially affected by a data breach with meeting their obligations under law.

##D ata breach definition Yarnmill defines a data breach as any accidental or unlawful destruction, loss, alteration or unauthorized disclosure of access to customer data.

Notification

Yarnmill will notify customers without undue delay after becoming aware of a data breach. Customers will be contacted by email and phone (when provided), and followed by multiple periodic updates throughout each day addressing progress and impact.

Australian Privacy Act

As an Australian-based business, Yarnmill is obligated to comply with the Australian Privacy Act. Under the Notifiable Data Breaches scheme Yarnmill must notify individuals about an eligible data breach when:

there is unauthorized access to or unauthorized disclosure of personal information, or a loss of personal information, that Yarnmill holds this is likely to result in serious harm to one or more individuals, and Yarnmill hasn't been able to prevent the likely risk of serious harm with remedial action Logical separation

Yarnmill utilizes a multi-tenant architecture where all customers share the same computing resources. Logical separation of data between customers and correct access is enforced through PostgreSQL Row Level Security (RLS). Transaction-scoped configuration variables are leveraged in RLS policies to ensure the correct access permissions.

Software development life cycle

Yarnmill maintains documented Software Development Life Cycle (SDLC) policies and procedures to guide developers in implementing and documenting application and infrastructure changes.

Development environments

All code is deploy and tested in a staging (development) environment that is functionality equivalent to production environments. Yarnmill performs testing and quality assurance procedures in this staging environment before releasing to the production environment that is used by customers. No customer data is ever used or accessible from staging or local development environments.

Version control

Yarnmill employs Git version control to maintain source code versions and manage the migration of source code through the development process through to release. Using a decentralized version control allows multiple developers to work simultaneously on features, bug fixes, and new releases; it also allows each developer to work on their own local code branches in a local environment. Git maintains a history of code changes, supports rollback capabilities and tracks changes to individually identifiable developers.

All code is written, tested, and saved in a local repository before being synced to the origin repository. Writing code locally decouples the developer from the production version of the Yarnmill code base and insulates Yarnmill from accidental code changes that could affect users. Any changes involving the persistence layer (database) are performed locally when developing new code, where errors or bugs can be spotted before the change is deployed to users.

Code review

Code changes are managed and reviewed through Git pull requests. Every pull request is manually reviewed and approved by two developers before it can be merged. Automatic and integrated testing is also performed with each pull request, and all tests must pass before a code change can be merged.

Developers are trained in evaluating code for security defects as part of code review, and automatic testing is employed to test against common security defects.

Security bugs

Security bugs represent key issues and should be resolved quickly to maintain the security, confidentiality, privacy, processing integrity, and availability of the Yarnmill service. Yarnmill has SLAs in place to enforce compliance with resolving security bugs within reasonable timelines.

Privacy policy