Security at Yori

Yori is a cloud-hosted SaaS application. Application servers, database, and background workers run in isolated environments with least-privilege access policies. We separate production from non-production environments and never use real customer data in development.

All traffic between your browser and Yori is encrypted with TLS 1.2 or higher. Data at rest in our managed database and object storage is encrypted using AES-256.

We connect to your Google Business Profile via OAuth 2.0. We request only the scopes required to read your reviews and post replies (primarily business.manage). We never request scopes beyond what is necessary, and you can revoke our access at any time from your Google account settings.

Customer authentication is handled through a managed identity provider that supports email/password and social sign-in with industry-standard password hashing and account-recovery flows. We strongly recommend enabling multi-factor authentication.

Access to production systems is restricted to a small number of engineers, requires multi-factor authentication, and is logged. Engineers access customer data only when necessary to support, debug, or operate the service, and only with appropriate authorisation.

Production infrastructure runs on tier-1 cloud providers in regions chosen for availability and data-protection compliance. We maintain a list of subprocessors (hosting, database, AI model providers, payment processing, error monitoring) and update it as it changes; an up-to-date list is available on request.

If you believe you have found a security issue in Yori, email security@yori.app with reproduction steps. We commit to acknowledging reports within two business days and to working with researchers in good faith. Please do not publicly disclose issues before we've had a reasonable chance to remediate.

We maintain an incident-response plan covering detection, containment, eradication, recovery, and customer notification. In the event of a confirmed breach affecting your data, we will notify affected customers without undue delay in accordance with applicable law.

Yori is on a path toward SOC 2 Type II readiness. We already follow many of the underlying controls and intend to formalise our attestation as the company scales. Customers with specific compliance requirements are welcome to email us to discuss.

Security questions or concerns? Email security@yori.app.