Information security management system ISO / IEC 27001:2013 and audit

The Yva.ai team is officially certified to the international standard for information security management system ISO / IEC 27001:2013. This means that the Yva.ai collaboration analytics platform and the company's internal processes in the field of information security fully comply with recognized international standards.

Yva.ai applies a systematic approach to information security risk management.

The process is divided into the following stages:

  • definition of the domain of data operation,

  • inventory of physical and logical information assets (servers, data warehouses, etc.),

  • threat identification and risk assessment for information assets,

  • selection of protection and safety equipment,

  • creation of tools to eliminate remaining risks, etc.

Yva.ai minimizes the risks of attacks by protecting survey results, reports, and other data using a strong encryption method.

Yva.ai conducts regular audits of contractors and imposes the same information security requirements on contractor employees as on its employees.

Yva.ai prevents the threat of viruses and phishing attacks: together with Sophos, we use artificial intelligence technology to protect all staff and non-staff members.

The protection level of Yva.ai is assessed by an independent expert. Each year, Yva.ai will confirm compliance with the standards through an independent certification audit, proving that the clients' data are fully protected against unauthorized access or hacking, both in the cloud and on-premise.

All information is stored and processed on the company's servers, the data is never saved on the desktops of Yva’s employees.

ISMS policies and processes

To ensure data security, Yva has implemented ISMS policies that regulate information security processes, activities are carried out with the maintenance of ISMS logs and records. Yva conducts staff screenings and training, using Sophos Phish Threat with the subsequent assessment of competencies. All Yva employees sign NDA. Technical tools and systems for monitoring, control and ensuring data security have been deployed, access control and logging of user actions are carried out. Yva conducts regular audits of information systems and processes, external and internal pentests.

Yva.ai information security policies developed in accordance with ISO 27001:2013. Yva's ISMS include policies: 

ISMS Policy, ISMS Scope, ISMS Roles and Responsibilities Procedure, ISMS Management, RACI Matrix, ISMS Information Security Risk Management Procedure, ISMS IT Infrastructure Management Procedure, ISMS Access Management Procedure, ISMS. Credentials Usage Procedure, ISMS Information Security Incident Management Procedure, ISMS Business Continuity Procedure, ISMS Business Continuity Strategy, ISMS Information Handling Procedure, ISMS Audit Management Procedure, ISMS Secure Development Policy, ISMS. Information Security User Manual, ISMS. Statement of Applicability, Information Security Threat Model, Asset Inventory Report,  Information Security Risk Assessment Report, Information Security Risk Treatment Plan, Physical Security Procedure.

Operations management

Operational procedures and responsibilities

Within the ISMS, the following roles are assigned to the Company's employees to maintain compliance with security policies, procedures, and standards for each employee in the organization:

  • ISMS Owner,

  • Data Protection Officer (DPO),

  • IS Manager,

  • IT Manager,

  • Business Continuity Manager.

Data protection officer (DPO) 

Yva.ai has a Data Protection Officer (DPO) as an employee, who:

  • Is responsible for the company's compliance with personal data protection requirements.

  • Informs and advises on obligations.

  • Acts as a contact person for users, contractors, or regulatory authorities.

The DPO is responsible for various procedures and documents enabling ISMS, establishing the protection of the information assets of the Yva.ai, Inc., its customers and partners, creating and maintaining conditions under which information security risks are constantly monitored and are at an acceptable level, confidential information is protected, and the business processes functioning continuously. 

Human resource security

Yva’s employees and contractors commit themselves to confidentiality and have signed the confidentiality agreement. Prior to hiring, all employees are subject to a background check. Logical access is given on a need-to-know basis, in compliance with the least privilege principle: a user has only those privileges which are essential to perform their job, as per our access control policy. Access is controlled using the role-based access control model. 

Incident management plan

Yva.ai uses the requirements of GDPR (Act. 33) for the Breach notification procedure to the tenant using our SaaS solution.

Business continuity strategy

Yva.ai has the Business Continuity Strategy that is aimed to determine the general approach to ensuring the continuity of the main business process within the scope of the information security management system for the processes of Yva.ai, Inc. This documentation includes the Restore Point Objective and the Restore Time Objective for each process.

Event management

Yva.ai uses Azure Sentinel for merging internal and external events from different sources for the SaaS solution.