How are security and privacy organised within Yuki?
Adequate security is essential within the Yuki service. The service aims to protect all information from loss, theft or unauthorised use. The security measures implemented by Yuki fall into two categories:
- Access security:
- Password entered incorrectly
- Two-factor authentication
- Protection of own data
- Yuki employees
- Database access
- Rights system
- Data security:
- Data traffic
- Confidential data
- Separate environment per customer
- Anti-virus software
- Physical server security
- Daily monitoring.
Yuki users identify themselves by means of a user name (in the form of a valid email address) and a password. This access security is achieved through Microsoft.NET Forms-Based Security. This means that access protection is automatically enforced for the entire web application 'by design and by default'. In addition, Yuki supports some Single Sign-On (SSO) solutions.
The password is set by the Yuki user. Basically, the user has the freedom to set the password, but the strength of the password is displayed immediately. The strength of a password depends on the number of different characters, numbers and special characters. In this way, Yuki aims to guide the customer in making a conscious choice.
In the event that the customer has forgotten the password, Yuki Customer Service must be contacted. The employee will verify the customer's identity using registered data. A new password will then be provided via email. At the next login, this password must be changed immediately. The password used by the client to access Yuki is stored in such an encrypted way that it cannot be retrieved from the database ('one-way encryption').
For a detailed description see also article Password policy.
A Yuki employee will not request the customer's password under any circumstances. Nor will a new password ever be provided to the customer by telephone. Not least because that will never become visible to the Yuki employee..
Password entered incorrectly
If you entered the password incorrectly six times, your account will be locked for one minute. If you then do it wrong again, it will be two minutes etc. In addition, you will receive the message "This user is temporarily blocked due to too many invalid login attempts". If you enter the correct password after the waiting period, the block will be lifted.
Yuki users can enable the two-factor authentication for their login to a domain in Yuki. This means that a second layer of security will be added at login. After entering a user name and password, a 6-digit code generated by the Google or Microsoft Authenticator app on the mobile phone must also be entered.
Protection of own data
Yuki recommends that users always use the latest internet browser, as it always has a higher security level than previous versions. When logging in to Yuki, always pay attention to the address bar and see if it says 'htpps://mijndomein.yuki.nl'. Even with a strong password, it is advisable to change it regularly. And it is not recommended to save the password using cookies, unless access to the computer itself is very secure.
Yuki's servers are located behind an advanced Basewall firewall to prevent unauthorized access over the Internet. Because the servers are exclusively used for hosting the Yuki environment, the firewall is configured in such a strict way that almost all traffic from the internet is blocked.
Only employees of the Back Office designated by Yuki have access to the customer's data for the maintenance of the administration. The other Yuki employees do not have access to customer data. When Yuki hires new employees, a Certificate of Good Conduct (VOG) is required. Should an employee leave Yuki, it is strictly monitored that all data is immediately inaccessible to this employee.
Only the database administrator has access to the database. Direct access to the database is not possible for other Yuki employees under any circumstances.
Yuki has an efficient rights system (RBAC: Role Based Access Control) within a domain. As a result, administrations within a domain can be separated and it is possible to achieve segregation of duties for employees. Rights always depend on roles in Yuki and never on individual users. It is also possible to indicate within an administration who can see what. This includes bank accounts and related transactions, documents, addresses and appointments.
All data traffic between the customer's PC and Yuki's server is encrypted using SSL encryption technology (128-bit encryption). This means that all data sent over the internet (e.g. passwords, financial data, sensitive documents) are protected against 'eavesdropping on data traffic on the internet'.
All Yuki employees sign a confidentiality statement stating that all customer data must be treated with the utmost confidentiality and discussion of its contents is not permitted, except with direct colleagues or supervisors when the situation calls for it. Communication of registered data to third parties will therefore never take place, unless the customer gives explicit permission for this or it concerns a situation in which disclosure is legally required.
Naturally, no data will be made available to other companies: the use of the Yuki service will never lead to additional commercial approaches or spam. Furthermore, at the request of the customer, all relevant data from the Yuki servers can be completely removed, for example in the event of termination of the subscription. It is always possible to copy the data from the Yuki archive and save it on the hard disk.
Each individual Yuki administration is backed up every 15 minutes. This backup is stored in another wing, which has a separate power supply. This means that the continuity of the stored data is optimally guaranteed in almost all calamities.
Separate environment per customer
Every Yuki customer gets its own domain and its own database. This infrastructure is integrated with access security. Yuki has deliberately chosen this approach, so that it is impossible for customers to gain access to the data of other customers by, for example, modifying URLs. No one can therefore gain access to the relevant environment without the customer's permission.
Anti-virus software is installed on the equipment used by Yuki employees. This contributes to the security of the stored data and the availability of the service.
To improve Yuki as a whole, actions performed can be stored in the database. In this way, Yuki can collect statistical data that can help with the development of the service or for support to the user. This concerns the action itself and of course not the entered or stored data.
Physical server security
Yuki's servers are located in Amazon's data centers within the European Union. Amazon applies very strict access security, has extensive provisions against fire and water damage and power interruptions and has very extensive redundancy in the internet connections.
The actual security of an environment is determined not only by the safety measures taken, but also by the monitoring thereof. Therefore, on a frequent basis, the log files of both firewalls and web servers are evaluated by Yuki to detect irregularities.