Legal

We govern ourselves too

A governance platform should be held to the same standard it sets for others. This is where we publish what we're accountable to: how we handle your data, what rights you have, what we commit to on security, and who to contact when something comes up.

yes-Security Inc. is incorporated in Delaware. TrustedStack is our product.

Last reviewed: January 1, 2026 · Questions? security.compliance@yes-security.com

Core agreements

The contracts governing your use of TrustedStack.

What personal data we collect, why we collect it, and how long we keep it. Covers GDPR, CCPA, and international data transfers.

Read policy →

Acceptable use, intellectual property, liability limits, service modifications, and governing law. Delaware courts have jurisdiction.

Read terms →

Your data rights

If you are in the EU, EEA, UK, or California, you have legally enforceable rights over your personal data. GDPR provides these rights to EU/EEA residents; CCPA provides similar rights to California residents.

Access Request a copy of all personal data we hold about you.

Correction Ask us to fix inaccurate or incomplete records.

Deletion Request that we delete your account and associated data, subject to legal retention requirements.

Portability Export your data in a machine-readable format (JSON or CSV).

Objection Object to processing based on our legitimate interests, including direct marketing.

Restriction Ask us to pause processing while a dispute is resolved.

Opt-out (CCPA) California residents can opt out of the sale or sharing of personal information. We do not sell personal data.

To submit a request, email security.compliance@yes-security.com with the subject line "Data Rights Request." We respond within 30 days. Requests are free of charge; we may ask you to verify your identity before processing.

Security and compliance

TrustedStack is purpose-built for regulated industries. Our security controls align with the frameworks below. For a full security questionnaire or penetration testing report, contact us directly.

Encryption in transit TLS 1.2+

Encryption at rest AES-256

Security framework NIST CSF

Information security ISO 27001

AI governance ISO 42001

Service organization controls SOC 2 aligned

Breach notification Within 72 hours (GDPR Article 33)

Access control model Role-based (RBAC), principle of least privilege

Authentication Multi-factor authentication supported

Vulnerability management Regular assessments and third-party audits

Security disclosures and vulnerability reports go to security.compliance@yes-security.com.

Enterprise customers

Enterprise plans include the following additional legal documents. Contact us to request any of these.

Data Processing Agreement (DPA) Required under GDPR Article 28 when we process personal data on your behalf. Covers processing scope, subprocessor obligations, data subject rights support, Standard Contractual Clauses for international transfers, and audit rights.

Subprocessor list A current list of third-party vendors we use to deliver the service, with their locations and processing purposes. We notify customers of subprocessor changes in advance.

Business Associate Agreement (BAA) Available for customers operating in healthcare contexts where HIPAA applies. Covers protected health information handling and breach notification obligations.

Security questionnaire We maintain a completed standard security questionnaire (CAIQ / SIG Lite format). Available to enterprise prospects under NDA.

Email security.compliance@yes-security.com to request enterprise documents. We typically respond within 3 business days.

Cookies and tracking

Our website uses cookies in three categories:

Essential Required for the site to function. Cannot be disabled. Examples: session tokens, CSRF protection.

Analytics Help us understand how visitors use the site (page views, referrers, session duration). No cross-site tracking.

Preferences Remember your settings, such as theme (light/dark). Stored in localStorage, not transmitted to third parties.

You can disable non-essential cookies in your browser settings. This does not affect your ability to use TrustedStack.

Company details

Legal entity yes-Security Inc.

Product TrustedStack™

Incorporation State of Delaware, USA

Governing law State of Delaware

Dispute resolution Exclusive jurisdiction of Delaware courts

Legal contact security.compliance@yes-security.com

Policy updates

We update these policies when our practices change, when laws require it, or when we add new features that affect data processing. Material changes get a 30-day advance notice by email if you have an account. The "last reviewed" date at the top of each policy reflects when it was last substantively changed. Minor edits (typos, formatting) do not change the date.

Have a legal question?

For privacy questions, data rights requests, DPA inquiries, security questionnaires, or anything else covered on this page, reach out directly. We don't have a legal ticketing system — just email.

security.compliance@yes-security.com