Contents x
      Information Security
        • Dark
          Light
        Contents

        Information Security

          • Dark
            Light
          Article summary

          Products


          Reviews
          Supported plans

          Free, Starter, Pro, Premium, Enterprise

          eCommerce Platform

          N/A

          This guide provides an overview of Yotpo's information security practices and protocols. 

          Server Security

          • Yotpo servers can only be accessed from the VPC (Virtual Private Cloud). 
          • To gain server access, authorized employees must provide their SSH key and username.
          • All SSH keys must be password-protected. 
          • The only employees who can access production servers are authorized members of Yotpo's Operations team, and when necessary, engineers who are granted access for a limited period in line with project duration. 
          • Server access is gained via Vault security system. 

          Network Security

          • To access the network, authorized employees are required to provide their OPENVPN private key, username, and password. 
          • Full access to production servers is only granted to authorized members of Yotpo's Operation team. Developers and engineers may only gain limited access to production servers via Vault security.
          • As Yotpo utilizes an Application Load Balancing ELB, load balancing endpoints with specific ports are the only publicly accessible endpoints in the Yotpo network.  
          • Each service type maintains a Security Group type which defines IP and port access.
          • All traffic from ALBs to the outside world is conducted over SSL (supports Protocol-TLSv1.2, Protocol-TLSv1.1 and Protocol-TLSv1 protocols and is updated to AWS’s latest recommended protocol). 

          Application Security

          1. Yotpo uses OAuth2 authorization for application authentication. 
          2. A process is executed daily to identify all expired tokens and invalidate them accordingly.
          3. For each token, we know which IP created it when and from what system (Widget/Admin). 

          Full System Encryption

          • It comes to replace the only PII security and to leverage the cloud infrastructure used by Yotpo. 
          • Yotpo stores encryption keys in AWS/KMS
          • Yotpo encrypts all of its AWS storage using dedicated keys for each storage. 
          • Access to the KMS service configurations is granted exclusively to authorized members of Yotpo's Operations team. 
          • All backups are encrypted as well.

          Data Security

          • Yotpo allows only permitted and limited (2H) access to the “read-only no PI” databases of the system. 
          • Every query performed by Yotpo employees on the main database is logged.
          Was this article helpful?
          What's Next

          PRODUCT

          RESOURCES

          PARTNERSHIPS

          COMPANY

          SUPPORT

          footer-logo

          Terms of Service

          Terms of Use

          Security

          Privacy Policy