Menu
HomePricing
Get Started Free

Security

Last updated: February 19, 2026

Our Commitment

At Yander, security is foundational to our platform. We protect your data with enterprise-grade security measures across every layer of our infrastructure, from encryption and authentication to strict tenant isolation and monitoring.

This page provides an overview of how we safeguard your organization's data. If you have specific security questions or need documentation for your procurement process, reach out to our team at jordan@yanderlabs.com.

Infrastructure

Yander is hosted on Railway, which runs on top of Amazon Web Services (AWS) infrastructure in the US-East-1 region. Our production environment includes managed PostgreSQL with pgvector for AI workloads and Redis for task queuing and background job management.

All application services run in isolated containers with no shared state between tenants at the infrastructure level. Our deployment pipeline enforces immutable builds, meaning every release is a fresh container image with no carryover from previous deployments.

Encryption

We apply encryption to your data both at rest and in transit:

  • At rest: All data is encrypted using AES-256 encryption via our infrastructure provider (Railway on AWS), the same standard used by financial institutions and government agencies.
  • In transit: All network communication is secured with TLS 1.3 via our edge proxy. Every connection to our API, dashboard, and third-party integrations is encrypted.
  • OAuth tokens: Integration credentials are managed by our sub-processor Nango, which handles OAuth token storage and rotation separately from our application database.
  • Database connections: All connections between our application services and database are encrypted via SSL.

Authentication and Access Control

Yander uses Clerk for authentication, providing a hardened, purpose-built identity layer with support for Single Sign-On (SSO), multi-factor authentication (MFA), and enterprise identity providers.

  • JWT validation is enforced on every protected API endpoint with no exceptions.
  • Role-based access control (RBAC) governs what each user can see and do within your organization, with four permission tiers: owner, admin, staff, and bot.
  • Multi-factor authentication is available for all accounts and can be enforced at the organization level.
  • Session management includes automatic token rotation and configurable session lifetimes.

Tenant Isolation

Yander operates a multi-tenant architecture with strict logical data isolation. Every database query is filtered by a tenant identifier that is extracted directly from the authenticated JWT — never from client-supplied input. This means there is no code path through which one organization can access another's data.

As an additional safeguard, any attempt to access resources belonging to another tenant returns a 404 (Not Found) response rather than a 403 (Forbidden), preventing any information leakage about the existence of other organizations or their data.

Each organization operates within its own data boundary, with complete separation of entities, scores, integration credentials, and configuration.

Data Handling

When you connect workplace tools, Yander collects and processes communication content to power AI-driven team intelligence. This includes email content, Slack messages, calendar event details, meeting transcripts, and document text from connected tools.

This data is processed by AI models to extract:

  • Collaboration patterns (how often and when people interact)
  • Relationship mapping (who works with whom across teams)
  • Engagement signals (response patterns, meeting participation, activity trends)
  • Key facts and context (project involvement, expertise areas)

Raw communication content is never displayed in the dashboard. Only AI-extracted insights, scores, and summaries are surfaced to users. Yander employees do not review your raw communication content except as necessary for technical support with your explicit consent.

Logging and Monitoring

Our logging infrastructure is designed to minimize the presence of personally identifiable information. Application logs primarily contain anonymized identifiers such as tenant IDs and entity IDs rather than customer names or email addresses.

All logs include structured request tracing with request IDs and duration metrics, enabling rapid incident investigation while limiting exposure of personal information.

Error monitoring is handled through Sentry. On the frontend, session replays are masked and only anonymized user identifiers are transmitted. On the backend, error events are filtered to reduce noise and limit the inclusion of sensitive data in error reports.

Data Retention and Deletion

  • Customer data is retained for the duration of your active subscription.
  • Upon a verified deletion request, all associated data is permanently removed within 30 days.
  • Automated data lifecycle management ensures that temporary and intermediate processing data does not persist beyond its useful life.
  • We support the right to data portability — you can request a full export of your organization's data in JSON format at any time.

Incident Response

We maintain a structured incident response process to detect, respond to, and recover from security events:

  • Automated error detection and alerting through Sentry surfaces issues in real time.
  • Critical issues are triaged and acknowledged within 24 hours.
  • In the event of a confirmed data breach, affected customers are notified within 72 hours in accordance with GDPR requirements.
  • Every significant incident undergoes a post-incident review to identify root causes and implement preventive measures.

Compliance

Yander is built with regulatory compliance as a core requirement, not an afterthought:

  • GDPR: We are GDPR-ready with a Data Processing Agreement (DPA) available for all customers. Our DPA covers data processing terms, sub-processor lists, and your rights as a data controller.
  • International transfers: Standard Contractual Clauses (SCCs) are included in our DPA for lawful transfer of personal data outside the European Economic Area.
  • SOC 2 Type II: We are actively pursuing SOC 2 Type II certification to formally validate our security, availability, and confidentiality controls.
  • We conduct regular internal security assessments and review our practices against industry standards.

Sub-Processors

We use a limited set of third-party service providers (sub-processors) to deliver our platform. Each sub-processor is vetted for security practices and bound by data processing agreements.

Sub-ProcessorPurposeLocation
Railway (AWS)Application hosting, database, and RedisUS
ClerkAuthentication and user managementUS
NangoOAuth and integration API proxyUS/EU
OpenRouterLLM inference (AI processing)US
StripePayment processingUS
SentryError monitoring (no PII)US
PostHogProduct analytics (anonymous events)US/EU

A complete and up-to-date list of sub-processors is maintained in our Data Processing Agreement.

Responsible Disclosure

We value the work of security researchers who help keep our platform and users safe. If you discover a vulnerability in Yander, we encourage you to report it to us responsibly.

  • Report vulnerabilities to jordan@yanderlabs.com with a detailed description of the issue.
  • We take all reports seriously and will acknowledge receipt within 48 hours.
  • We will not pursue legal action against researchers who act in good faith, follow responsible disclosure practices, and avoid accessing or modifying other users' data.

Contact

Have questions about our security practices or need documentation for your security review? We are here to help.

Yander Labs, Inc.

2261 Market Street STE 46212

San Francisco, CA 94114

Security inquiries: jordan@yanderlabs.com

Legal and privacy: jordan@yanderlabs.com