Do you have a company WISP that you follow?

Yellowfin maintains an updated company WISP (that defines company secure operating) and other SOP documents for staff to follow.

What external accreditations does the company hold?

Yellowfin has the following

• UK Cyber Essentials 2018 (required to sell digital services to UK Government)
• UK Cyber Essentials 2019
• UK Cyber Essentials 2020
• Achieved SOC2 Type 2 in 2021

Does your company have an individual(s) identified to implement and manage the Information Security Program (e.g. Chief Information Security Officer, Directory/Manager, Other)?

Company security is under the responsibility of the office of the COO. The operations team manages all organization security concerns.

Does Yellowfin have security hardening guidelines for computing and network infrastructure devices?

The Yellowfin WISP and other internal documents define the approaches to harden the ecosystem from external influence or unauthorized access. Yellowfin has an ISO officer who functions to regularly test external boundaries and perform vulnerability tests on network components and all endpoints. The ISO officer uses industry-standard scanning tools to discover issues and triage them for resolution or mitigation.

Does Yellowfin have firewalls to protect company boundaries?

Yellowfin protects all its company boundaries with Cisco 5515-X or 5545-X firewalls; Yellowfin also uses internal Cisco 5515-X firewalls on internal boundaries to protect company secrets and IP.

Does Yellowfin have endpoint protection?

Yellowfin protects all endpoints and service platforms with Bitdefender Cloud protection. This technology is installed as a client on Windows, Linux and Apple; it is controlled and monitored by the cloud portal. Bitdefender cloud provides each client with a local firewall, antivirus, antimalware, anti-crypto, web/email protection and file protection.

Does Yellowfin have a password policy?

Yellowfin uses high entropy passwords on all servers and external service platforms. High entropy means 20 characters or greater. Our standard is 32 characters.
The internal staff SOP defines the password policy and recycling frequency for staff to follow.

Does Yellowfin have user access policies for creation and approval?

Yellowfin uses OKTA SSO technology to provide a single point of access for all company applications. Staff have a single login and all allocated web-accessible applications are available through the OKTA portal. When staff onboard, their access platforms are assigned and when staff offboard, their platforms are revoked.
For GUI apps, and equipment where credentials are required; these are issued and revoked by the Operations team.

Who is responsible for granting access to IT system resources?

The Operations team, working under the office of the COO; are responsible for IT system access.

Is Yellowfin compliant with standards like HiPPA, PCI and protect all customer PII/KYC data?

• Yellowfin is a pure software vendor and does not host customers data. Customer ISO staff are responsible for the secure hosting and management of the Yellowfin software.
• Yellowfin does not host or have access to any HiPPA data.
• Yellowfin does not host or have access to any credit card data
• Yellowfin does not host any customer data; hence holds no PII or KYC data.
• Yellowfin by policy, does not access customer data for support activities.

Is Yellowfin GDPR compliant?

Yellowfin only stores customer and lead information provided to Yellowfin by those stakeholders. Yellowfin does not store information that is PII sensitive like DOB. All GDPR eligible information is provided by the lead contacts or the account contacts and is public level information. Yellowfin will remove a person’s held information on request from all active systems in compliance with GDPR rules and will keep only the minimum information to maintain the integrity of our accounting and billing systems.
Yellowfin is also a signed-up member of US Privacy Shield.

Please describe your disaster recovery and/or business continuity processes and plans. Also include details regarding how long they have been in place at your company and provide a copy of your most recent testing exercise.

Yellowfin has a documented DRR, Pandemic and Continuity plan; The documents are written to be flexible to any possible scenario that impacts normal business operations.
The latest testing of the plan would be the COVID-19 crisis; which required citizens to shelter in place or at home. Yellowfin executed on the plan and established WFH practices to allow a transparent move from WIO to WFH with no loss in productivity. Yellowfin’s established infrastructure and security allowed for this seamless transfer.

Does Yellowfin have a Third-Party Remote Access Policy or guidelines?

We do not allow 3rd parties to access production systems; Internal staff manage all production and development concerns

Are Yellowfin’s employees required to sign confidentiality agreements?

All staff on start of employment are required to sign NDA that is unlimited and intellectual property protections. This protects Yellowfin and its customers; With respect to customers it prevents the staff member disclosing any confidential information they may obtain in the course of their duties as a representative of Yellowfin working with customers.

Are Yellowfin Employees subject to criminal and reference checks?

Yellowfin does not perform criminal checks on employees; Yellowfin does not perform security vetting on employees. Employees are subject to reference checks on assessment of employment and sign NDA and other company agreements for the protection of company secrets, IP and customer information.

Does Yellowfin have a code of ethics?

Yellowfin does have a company-wide code of ethics policy available to all staff. This covers all standards of honesty and fair play in working with customers.
The document can be provided for review on signing an NDA.

Does Yellowfin software comply with all applicable USA Federal and state requirements and regulations?

The Yellowfin application has robust security controls and a granular permission scheme to fit any requirements or regulations. As a business, we comply with all relevant regulations.

Does Yellowfin practice industry-standard backup methods?

Yellowfin practices 3.2.1 backups of core systems, data and information. Yellowfin offsites backups to AZURE and AWS cloud daily, reducing PIT losses.
Backups are encrypted for safety over public wire.

Do you have controls in place to prevent cyber disruption to your networks and ultimately your ability to deliver contracted products or services (business continuity)?

Yellowfin has a diversified set of IT capabilities across, AWS, Involta DC, HQ and regional offices. This provides a high level of flexibility and built-in redundancy. Yellowfin protects all endpoints with Bitdefender cloud endpoint protection. Yellowfin protects all outside boundaries with Cisco 55X5-X Firewalls. Yellowfin protects inside IP assets with Cisco 55X5-X Firewalls. Yellowfin practices 3.2.1 backup of core assets. Yellowfin employs a dedicated security officer to regularly scan internal and external interfaces for vulnerabilities and manage their resolution.

Does Yellowfin use OpenSource software under the covers and what steps are taken to ensure the open source is not creating security flaws?

Yellowfin does use some open-source libraries inside the Yellowfin code base. Yellowfin only uses open-source libraries that are free of CopyLeft or Proprietary licenses. Yellowfin uses industry tools like SonarCube and SonaType to scan the Yellowfin code base for security vulnerabilities, bugs and issues, open-source vulnerabilities, open source bugs. Yellowfin employs a dedicated IS. consultant who works full time on the detection and correction of security of the Yellowfin code. This also includes managing open source licensing to ensure compliance.

What key size does Yellowfin use for Cryptography processes?

Yellowfin will choose an available algorithm depending on the support of the JVM. It will try these in order: AES, 3DES, BlowFish, DES. Yellowfin will use the default key size for the algorithm chosen.

How does Yellowfin store product passwords?

Yellowfin uses the bCrypt algorithm to hash of the plaintext password and store the hash in the control database; Yellowfin also uses CRC and other anti-tamper mechanisms to ensure the hash password cannot be altered or replaced.

Is TLS being used by default for communication between the source and destination?

Yes. Yellowfin’s internal Tomcat instance supports TLS 1.2

Does Yellowfin have a SOC2 assessment?

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data.

Yellowfin has completed a successful SOC2 type 2 assessment. The report is available on request to the Yellowfin Sales team on the provision of a signed NDA.