Contents x
      Information Security
          Contents

          Information Security

              Article summary

              Products


              Reviews
              Supported plans

              Free, Starter, Pro, Premium, Enterprise

              eCommerce Platform

              N/A

              This guide provides an overview of Yotpo's information security practices and protocols. 

              Server Security

              • Yotpo servers can only be accessed from the VPC (Virtual Private Cloud). 
              • To gain server access, authorized employees must provide their SSH key and username.
              • All SSH keys must be password-protected. 
              • The only employees who can access production servers are authorized members of Yotpo's Operations team, and when necessary, engineers who are granted access for a limited period in line with project duration. 
              • Server access is gained via Vault security system. 

              Network Security

              • To access the network, authorized employees are required to provide their OPENVPN private key, username, and password. 
              • Full access to production servers is only granted to authorized members of Yotpo's Operation team. Developers and engineers may only gain limited access to production servers via Vault security.
              • As Yotpo utilizes an Application Load Balancing ELB, load balancing endpoints with specific ports are the only publicly accessible endpoints in the Yotpo network.  
              • Each service type maintains a Security Group type which defines IP and port access.
              • All traffic from ALBs to the outside world is conducted over SSL (supports Protocol-TLSv1.2, Protocol-TLSv1.1 and Protocol-TLSv1 protocols and is updated to AWS’s latest recommended protocol). 

              Application Security

              1. Yotpo uses OAuth2 authorization for application authentication. 
              2. A process is executed daily to identify all expired tokens and invalidate them accordingly.
              3. For each token, we know which IP created it when and from what system (Widget/Admin). 

              Full System Encryption

              • It comes to replace the only PII security and to leverage the cloud infrastructure used by Yotpo. 
              • Yotpo stores encryption keys in AWS/KMS
              • Yotpo encrypts all of its AWS storage using dedicated keys for each storage. 
              • Access to the KMS service configurations is granted exclusively to authorized members of Yotpo's Operations team. 
              • All backups are encrypted as well.

              Data Security

              • Yotpo allows only permitted and limited (2H) access to the “read-only no PI” databases of the system. 
              • Every query performed by Yotpo employees on the main database is logged.
              Was this article helpful?
              What's Next

              PRODUCT

              RESOURCES

              PARTNERSHIPS

              COMPANY

              SUPPORT

              footer-logo

              Terms of Service

              Terms of Use

              Security

              Privacy Policy