Home
Security

Committed to protecting your data

Serious about security. An automated audit platform you can trust.

Book a demo

ISO 27001 & SOC2 certification

At Yellow Canary, integrity is at the heart of our values, driving our unwavering commitment to protecting our clients data. As the first payroll compliance technology provider in Australia to achieve and uphold both ISO 27001 and SOC 2 certifications, we ensure the highest security standards through extensive protocols.

Request Trust Report

AWS

Secure and reliable data hosting on Amazon Web Services (AWS)

Protocols

Robust disaster recovery processes including regional recovery protocols

Backups

Frequent data backups automated daily and encrypted

2 Factor

Mandatory two factor authentication for both new and existing users

Frequently asked questions

See all FAQs
Yellow Canary data is hosted on Amazon Web Services (AWS) in the Asia Pacific region. What if Yellow Canary becomes unavailable in the AWS APAC region?

Yellow Canary’s platform is hosted in the AWS Asia Pacific (Sydney) region.  

Our infrastructure is designed with resilience and business continuity in mind, including:

  • Deployment across multiple availability zones within the region for high availability
  • Automated daily backups, encrypted and stored separately
  • A documented Disaster Recovery Plan, including regional recovery protocols
  • While full regional outages in AWS are incredibly rare, we treat them seriously. We follow an internal incident response process to coordinate restoration and communication.  
  • Our aim is to reduce downtime and maintain service continuity, even in extreme edge cases.
Will third party vendors have access to user’s data and/or systems?

No, third-party vendors do not have direct access to user data or systems. In limited cases, we may engage third-party sub-processors (such as infrastructure or support tooling providers) to help us deliver our services. These vendors operate under strict data processing agreements, and we only use providers that meet our security, privacy, and compliance standards. A full list of sub-processors and the nature of their services is available on request. We’re happy to walk you through how we manage third-party risk and ensure your data stays secure.

Is your business PCI compliance and what processes are in place to ensure users’ card data is protected?

Yellow Canary does not store, process, or transmit payment card data as part of our core platform services, so PCI DSS compliance is not applicable to our environment.

Do you have a vulnerability management program in place to resolve your critical, high and medium risk issues?

Yes. Yellow Canary maintains a formal Vulnerability Management Program as part of our ISO 27001:2022 and SOC 2 Type II controls:

  • We run continuous vulnerability scanning, conduct regular external penetration testing, and track remediation through our internal issue management process.
  • Critical and High-risk vulnerabilities are triaged and addressed on an accelerated timeline, with prompt patching or mitigation.
  • Medium-risk issues are reviewed and resolved as part of our standard release cycle.

All vulnerabilities are tracked through to closure, and remediation actions are logged, verified, and auditable. We also subscribe to threat intelligence feeds to ensure our stack is protected against emerging threats.

How often does Yellow Canary conduct internal and independent audits?

Yellow Canary conducts internal audits annually as part of our ISO 27001:2022 Information Security Management System (ISMS). These audits assess the effectiveness of our controls, risk management processes, and compliance obligations.

We also undergo independent third-party audits annually to maintain our SOC 2 Type II and ISO 27001:2022 certifications. These external audits provide assurance that our security, availability, and confidentiality controls are operating effectively over time.

Audit findings are tracked through our governance process, and we maintain an active program of continuous improvement.

Do you provide facilities for clients to obtain a full and complete backup of all their data stored by your service?

Yes. Yellow Canary provides clients with access to complete exports of their data upon request. We support structured data extracts in CSV format to facilitate offboarding, auditing, or integration purposes. These exports include all relevant customer-submitted data as well as results processed within the platform. In addition, we maintain automated daily backups of customer data as part of our internal resilience and disaster recovery program. These backups are encrypted and stored securely in AWS across multiple availability zones. If you need a full data export, our team can coordinate secure delivery via a mutually agreed method.

Does Yellow Canary encrypt my data in transit and at rest?

Yes, data is encrypted both in transit and at rest. Secure encrypted transfer of documents and confidential or sensitive information over the internet is facilitated using current secure protocols, such as SFTP. To protect data at rest, all restricted or confidential data is always encrypted using strong encryption methods such as Advanced Encryption Standard (AES).