Trust & Security

How we protect your data and the data of your customers.

Compliance

YKO Labs operates in line with major global privacy and payment standards. We focus on what is legally required to serve beauty, salon, barber and personal-care businesses worldwide.

✅ GDPR compliant (European Union)
✅ UK GDPR compliant
✅ CCPA / CPRA compliant (California)
✅ PCI DSS SAQ A compliant — payments processed by Polar, a PCI DSS Level 1 certified Merchant of Record. YKO Labs systems never store, process, or transmit cardholder data.

Infrastructure

We build on infrastructure providers that hold their own SOC 2 Type II and ISO/IEC 27001 attestations. Your data inherits the physical, network, and operational security of these providers.

DigitalOcean — Backend hosting. SOC 2 Type II, ISO/IEC 27001
MongoDB Atlas — Database (per-tenant isolated). SOC 2 Type II, ISO/IEC 27001, ISO 27018
Vercel — Frontend hosting & edge network. SOC 2 Type II, ISO/IEC 27001
Cloudflare — CDN, DDoS protection, image storage. SOC 2 Type II, ISO/IEC 27001
Polar (Stripe) — Payment processing (Merchant of Record). PCI DSS Level 1
Firebase / Google Cloud — Authentication. SOC 2, ISO/IEC 27001, ISO 27018
Twilio — SMS messaging. SOC 2 Type II, ISO/IEC 27001
Meta WhatsApp Business — WhatsApp messaging. ISO/IEC 27001
Google Gemini — AI content generation. SOC 2, ISO/IEC 27001
Datadog — Monitoring & logs. SOC 2 Type II, ISO/IEC 27001

Our security practices

Day-to-day controls implemented inside the YKO Labs platform:

🔐 TLS 1.3 in transit; encryption at rest via managed database storage
🏢 Per-tenant database isolation — every customer has their own dedicated MongoDB database
🔑 Bcrypt-hashed passwords, dual JWT authentication with short-lived tokens, role-based access control
📜 Audit logs with up to 6-year retention, including IP, user agent, and field-level change diffs
🚦 Rate limiting on all endpoints (200 req / 15 min global, stricter on auth)
🛡️ Helmet + Content Security Policy headers, MongoDB operator sanitization, input validation on every request
💾 Daily automated database backups
📊 Real-time monitoring with Datadog APM and structured logging

Your privacy rights

Under GDPR, UK GDPR, and CCPA/CPRA you have the right to access, correct, export, and erase your personal data, and the right to withdraw consent. To exercise these rights, contact us at privacy@ykolabs.com and we will respond within 30 days.

Californian residents: we do not sell or share your personal information for cross-context behavioral advertising.

Sub-processors and DPA

A complete and current list of sub-processors is published above. We will notify customers of additions or material changes at least 30 days in advance. Enterprise customers may request a countersigned Data Processing Agreement (DPA) by contacting privacy@ykolabs.com.

Reporting a security issue

We welcome responsible disclosure from security researchers. Please email security@ykolabs.com with steps to reproduce. We respond within 2 business days and will credit researchers (with permission) on this page once the issue is resolved.

Last updated: 9 May 2026