Yashara Biosciences operates software platforms used in clinical laboratories, research institutions, and industrial settings. We treat security not as a compliance checkbox but as an ongoing engineering discipline.
All data stored within Yashara's cloud infrastructure is encrypted at rest using AES-256. All data transmitted between clients and Yashara servers — including web application traffic, API calls, and any optional cloud inference payloads — is encrypted in transit using TLS 1.3. We do not support TLS 1.1 or earlier, and we enforce HSTS with a minimum one-year max-age on all production domains.
Access to Yashara's production infrastructure is restricted by role-based access control (RBAC) with enforcement of the principle of least privilege. All privileged access requires multi-factor authentication. No production data is accessible from development or staging environments. Access rights are reviewed quarterly and revoked immediately upon personnel offboarding.
Our cloud infrastructure is deployed within isolated Virtual Private Clouds (VPCs) with network segmentation between application, data, and management tiers. Inbound access to application services is mediated through a web application firewall (WAF) with rule sets targeting OWASP Top 10 vulnerability classes. Database services are not directly accessible from the public internet.
All access events, authentication events, data modifications, and administrative actions are logged to an append-only audit log with cryptographic integrity protection. Audit logs are retained for a minimum of seven years for ComplianceCall (supporting CLIA audit trail requirements) and three years for other services. Logs are stored in a dedicated environment isolated from production application infrastructure.
By default, data for ComplianceCall and PuroChem is stored and processed in data centers located within the United States. Enterprise customers with data residency requirements — including EEA customers subject to GDPR data transfer restrictions — may request regional deployment configurations. Contact us at security@yashara.us to discuss data residency options.
Production data is backed up with a minimum daily frequency to geographically separated storage. Backups are encrypted using independent key material from the primary data encryption keys. Recovery time objectives (RTO) and recovery point objectives (RPO) are tested quarterly through automated recovery drills. Current target RTO is four hours; target RPO is one hour.
Security is integrated throughout our development lifecycle. Static application security testing (SAST) runs on every pull request. Dependency vulnerability scanning (SCA) runs on every build. Code changes that introduce new external dependencies require security review. Security training is mandatory for all engineers on an annual basis.
We engage qualified third-party security firms to conduct penetration tests of our web applications and infrastructure on an annual basis at minimum. Penetration test findings are remediated according to severity-based SLAs: critical findings within 24 hours, high findings within 7 days, medium findings within 30 days. Summary findings are available to enterprise customers under NDA.
All product accounts support multi-factor authentication (MFA) via TOTP-based authenticator apps. MFA is mandatory for all users with administrative privileges and recommended for all user accounts. Institutional enterprise plans may enforce MFA as a policy across all organizational users. SAML 2.0 SSO integration is available for enterprise deployments.
Session tokens are cryptographically random, stored as HttpOnly and Secure cookies, and bound to the user agent and IP address subnet of the originating session. Sessions are invalidated after 8 hours of inactivity. Concurrent sessions from geographically disparate locations trigger a user notification. Session invalidation is immediate upon logout or password change.
All API access requires authentication via scoped API tokens with explicit permission grants. API tokens are never logged in plaintext. Rate limiting is enforced on all API endpoints. API usage is monitored for anomalous patterns. OpenAPI specifications for all public endpoints are available to licensed API users.
We conduct security reviews of all third-party subprocessors who have access to customer data. Subprocessors are contractually required to maintain security standards equivalent to or exceeding our own. A current list of subprocessors is maintained and available to enterprise customers on request. We will notify enterprise customers in advance of any new subprocessor engagement.
Yashara is currently pursuing SOC 2 Type II certification covering the Security, Availability, and Confidentiality trust service criteria. Upon completion, the SOC 2 Type II report will be available to enterprise customers and prospective enterprise customers under a non-disclosure agreement. Contact your account representative or security@yashara.us to request a copy of the report when available.
ComplianceCall is designed for deployment in HIPAA-covered laboratory environments. Yashara will execute a Business Associate Agreement (BAA) with covered entities and business associates that use ComplianceCall in connection with PHI. Contact compliance@yashara.us to initiate the BAA process.
For customers in the European Economic Area and the United Kingdom, Yashara provides a Data Processing Agreement (DPA) in accordance with Article 28 of the General Data Protection Regulation. The DPA incorporates Standard Contractual Clauses (SCCs) for international data transfers. Contact privacy@yashara.us to request a DPA.
We take security vulnerabilities seriously and welcome responsible disclosure from the security research community. If you discover a security vulnerability in any Yashara product or service, we ask that you follow the process below.
Submit vulnerability reports by email to security@yashara.us. For sensitive reports, we recommend encrypting your message using our PGP public key, available on request from the same address.
Please include in your report: a description of the vulnerability and its potential impact; the affected product, version, and environment; step-by-step instructions to reproduce the issue; and any proof-of-concept code or screenshots that demonstrate the vulnerability. The more detail you provide, the faster we can triage and respond.
This policy covers vulnerabilities in Yashara's web applications (yashara.us, the ComplianceCall web application, the PuroChem web application), APIs, and cloud infrastructure. It does not cover vulnerabilities in FluorocellAI's local installation that require physical access to the user's machine, vulnerabilities in third-party software components that have not yet been patched by the upstream maintainer, or issues that require the cooperation of a legitimate user account holder to exploit.
We ask that researchers not access or modify data belonging to other users, not perform actions that degrade service availability for other users, and not disclose vulnerability details publicly before we have had a reasonable opportunity to address them (minimum 90-day coordinated disclosure window).
In the event of a security incident affecting customer data, our incident response process follows a structured escalation and notification protocol. We maintain an incident response plan that is reviewed and tested on an annual basis.
Affected customers will be notified promptly in the event of any security incident that involves unauthorized access to, or disclosure of, their data. Notification will include a description of the nature of the incident, the categories of data affected, the estimated timeline of the incident, the remediation steps taken or underway, and recommended actions for affected users.
Automated monitoring, anomaly detection, and security event correlation across infrastructure and application layers. 24/7 alerting to on-call security personnel.
Immediate isolation of affected systems, revocation of compromised credentials, and network-level blocking of identified threat actors.
Customer notification within 72 hours of confirmed data breach in accordance with GDPR Article 33 and applicable state breach notification laws.
Root cause analysis, remediation validation, and publication of a post-incident report to affected enterprise customers upon request.
Enterprise customers may request our SOC 2 report, penetration test executive summary, and completed security questionnaires through their account representative. All other security inquiries should be directed to security@yashara.us.