How is security managed on Yovale services?

Yovale takes your security and the security of your website visitors very seriously. Our team implemented security best-practices at every level.

Security Practices In Our Team

Our whole team implements strict security practices regarding how they access their accounts:

  • Our SSH keys are all password-protected
  • Yovale always refused to sell any data and our policy is to respect your data privacy. Our business model is based on paid Yovale subscriptions. Not on your data
  • Two Factor Authentication on third-party services
  • All the features are designed around security and reliability
  • Every computer running Yovale development tools is secured and up to date and encrypted
  • All Yovale employees, agents, and service providers are trained in data-security practices.
  • Security policies are regularly reviewed for all employees and relevant subcontractors and infrastructure service providers
  • Employees that can access customer data via our internal system have different security levels. We make sure they only have access to relevant data (ie: no chat message, no end-customer data). It contains different permission levels, access logs, TOTP, rate-limits, and safety checks.
  • We don’t have any servers, security keys on site, this way we make sure that Yovale, and your data is not at risk in case of an intrusion in our offices.
  • Yovale uses encrypted backups so we are able to recover customer data in case of emergency.

Encryption and transport layer security

HTTPS and HSTS for secure connections

Yovale forces HTTPS for all services using TLS (SSL), including our public website and the the admin dashboard.

  • Strong TLS keys: RSA, 2048 bits
  • Elliptic-Curve Cryptography
  • Forward-Secrecy with Diffie-Hellman parameters

These practices allows you and your users to stay safe

  • Hide the data as it is being transmitted on the network
  • Prevent all modification of data as it is being transmitted on the network
  • Prevent MITM (Man-in-the-middle attacks)
  • Allow the service to work on restricted networks, over strict proxies

Payments and paid plans

When you upgrade or purchase a plan using Credit/Debit and PayPal account, the payments are handled by our services providers as listed below :

Stripe (Credit/debit, Global except India)

PayPal (Global)

RazorPay (For India other asian countries)

BitPay (for crypto payments)

Encryption of sensitive data and communication 

All payments are processed through our partner Stripe and card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plaintext card numbers but can request that cards are sent to a service provider on a static allowlist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).

Payment gateway security for our users/creators

When you enable payment features or e-commerce for accepting payments on your website, you need to enable the payment gateways.

All payment gateway provider’s like Stripe, PayPal, RazorPay, Mollie and 2checkout etc. are Level 1 PCCI DSS compliant, ISO certified companies. They follow the best security practice in the industry.

For data processing agreement, privacy policy please visit the respective website.

At our end, we make sure the Integration with these payments gateways are always up to date and data is transferred securely over the network for processing payments and other financial data transfer. You can read more about the encryption and data transfer policy on this page.

Infrastructure Hardening

Server hardening is also critical in ensuring the best security for our users.

Here are some of our practices in terms of infrastructure management:

  • All the servers and services are running the latest security updates and patched immediately when a kernel vulnerability is published
  • Yovale servers are hosted in the United States in the different Datacenter
  • CNS servers are hosted in different geographical locations and are provided by our service provider Cloudflare.
  • Denial-of-service protections are set everywhere (this ensures service resiliency under attack)
  • We have different layers of databases witch are all replicated as well on multiple servers and locations
  • Our network is protected with firewalls and state of art early attack detection system provided by our service providers.
  • Technical staff uses pagers so we are notified of incidents immediately
  • Yovale infrastructure was designed to still run properly even in case of server incidents.
  • Server authentication using protected SSH keys and direct password authentication is not possible
  • SSH services are not publicly reachable and are limited to a set of allowed IPs
  • Abusing IPs get automatically banned or rate-limited (prevents brute-force attacks on accounts)

Data Security

Yovale strictly implements the GDPR regulation, that aims at protecting user data and providing a right to modify and delete such data, as well as to consent to data collection.

Author avatar
Manish Yadav
CTO and Design lead at Yovale & VINTCER

2 comments

  1. Michael Alvarado

    Is it possible to add a Google authenticator or similar OTP based login to our Yovale account?