Yes, data is encrypted both in transit and at rest. Secure encrypted transfer of documents and confidential or sensitive information over the internet is facilitated using current secure protocols, such as SFTP. To protect data at rest, all restricted or confidential data is always encrypted using strong encryption methods such as Advanced Encryption Standard (AES).

Yes. Yellow Canary provides clients with access to complete exports of their data upon request. We support structured data extracts in CSV format to facilitate offboarding, auditing, or integration purposes. These exports include all relevant customer-submitted data as well as results processed within the platform. In addition, we maintain automated daily backups of customer data as part of our internal resilience and disaster recovery program. These backups are encrypted and stored securely in AWS across multiple availability zones. If you need a full data export, our team can coordinate secure delivery via a mutually agreed method.

Yellow Canary conducts internal audits annually as part of our ISO 27001:2022 Information Security Management System (ISMS). These audits assess the effectiveness of our controls, risk management processes, and compliance obligations.

We also undergo independent third-party audits annually to maintain our SOC 2 Type II and ISO 27001:2022 certifications. These external audits provide assurance that our security, availability, and confidentiality controls are operating effectively over time.

Audit findings are tracked through our governance process, and we maintain an active program of continuous improvement.

Yes. Yellow Canary maintains a formal Vulnerability Management Program as part of our ISO 27001:2022 and SOC 2 Type II controls:

• We run continuous vulnerability scanning, conduct regular external penetration testing, and track remediation through our internal issue management process.
• Critical and High-risk vulnerabilities are triaged and addressed on an accelerated timeline, with prompt patching or mitigation.
• Medium-risk issues are reviewed and resolved as part of our standard release cycle.

All vulnerabilities are tracked through to closure, and remediation actions are logged, verified, and auditable. We also subscribe to threat intelligence feeds to ensure our stack is protected against emerging threats.

Yellow Canary does not store, process, or transmit payment card data as part of our core platform services, so PCI DSS compliance is not applicable to our environment.

No, third-party vendors do not have direct access to user data or systems. In limited cases, we may engage third-party sub-processors (such as infrastructure or support tooling providers) to help us deliver our services. These vendors operate under strict data processing agreements, and we only use providers that meet our security, privacy, and compliance standards. A full list of sub-processors and the nature of their services is available on request. We’re happy to walk you through how we manage third-party risk and ensure your data stays secure.

Yellow Canary’s platform is hosted in the AWS Asia Pacific (Sydney) region.  

Our infrastructure is designed with resilience and business continuity in mind, including:

• Deployment across multiple availability zones within the region for high availability
• Automated daily backups, encrypted and stored separately
• A documented Disaster Recovery Plan, including regional recovery protocols
• While full regional outages in AWS are incredibly rare, we treat them seriously. We follow an internal incident response process to coordinate restoration and communication.  
• Our aim is to reduce downtime and maintain service continuity, even in extreme edge cases.

Yellow Canary can be accessed on all the latest versions of modern browsers including Chrome, FireFox, Safari, Microsoft Edge.