Trust and Security

How we protect your data and your clients' data.


Compliance

YKO Labs operates in compliance with major global privacy and payment standards. We focus on what is legally required to serve beauty, salon, barber, and personal care businesses worldwide.

✅ GDPR compliant (European Union)
✅ UK GDPR compliant
✅ CCPA / CPRA compliant (California)
✅ PCI DSS SAQ A compliant — payments are processed by Polar, a PCI DSS Level 1 certified Merchant of Record. YKO Labs systems never store, process, or transmit cardholder data.

Infrastructure

We build on infrastructure providers that hold their own SOC 2 Type II and ISO/IEC 27001 certifications. Your data inherits the physical, network, and operational security of these providers.

DigitalOcean — Backend hosting. SOC 2 Type II, ISO/IEC 27001
MongoDB Atlas — Database (isolated per tenant). SOC 2 Type II, ISO/IEC 27001, ISO 27018
Vercel — Frontend hosting and edge network. SOC 2 Type II, ISO/IEC 27001
Cloudflare — CDN, DDoS protection, image storage. SOC 2 Type II, ISO/IEC 27001
Polar (Stripe) — Payment processing (Merchant of Record). PCI DSS Level 1
Firebase / Google Cloud — Authentication. SOC 2, ISO/IEC 27001, ISO 27018
Twilio — SMS messaging. SOC 2 Type II, ISO/IEC 27001
Meta WhatsApp Business — WhatsApp messaging. ISO/IEC 27001
Google Gemini — AI content generation. SOC 2, ISO/IEC 27001
Datadog — Monitoring and logs. SOC 2 Type II, ISO/IEC 27001

Our security practices

Daily controls implemented within the YKO Labs platform:

🔐 TLS 1.3 in transit; encryption at rest via managed database storage
🏢 Database isolation per tenant — each client has their own dedicated MongoDB database
🔑 Passwords hashed with Bcrypt, dual JWT authentication with short-lived tokens, role-based access control
📜 Audit logs with up to 6 years retention, including IP, user-agent, and domain-level change deltas
🚦 Request limiting on all endpoints (200 requests / 15 minutes globally, stricter on authentication)
🛡️ Helmet + Content Security Policy headers, MongoDB operator sanitization, input validation on every request
💾 Daily automated database backups
📊 Real-time monitoring and structured logging with Datadog APM

Your privacy rights

Under GDPR, UK GDPR, and CCPA/CPRA, you have the right to access, correct, export, and delete your personal data, and the right to withdraw your consent. To exercise these rights, contact us at privacy@ykolabs.com, and we will respond within 30 days.

California residents: we do not sell or share your personal information for cross-context behavioral advertising.

Sub-processors and DPA

A complete and up-to-date list of sub-processors is published above. We will notify customers at least 30 days in advance of any additions or material changes. Enterprise customers may request a countersigned Data Processing Agreement (DPA) by contacting privacy@ykolabs.com.

Reporting a security issue

We welcome responsible disclosures from security researchers. Please email security@ykolabs.com with reproduction steps. We respond within 2 business days and, upon resolution of the issue, credit researchers (with their permission) on this page.

Last updated: 30 June 2026