Security
At YCharts, we know that customer data is valuable and needs to be safeguarded. As a cloud-based SaaS company, customers have entrusted us to protect their information – a responsibility we take very seriously. From our C-suite leaders to the employees that make YCharts everything that it is, we take the utmost care and actively work to prioritize and protect our customers’ data through comprehensive security program policies, procedures, practices, and controls.
Security Practices in Place
Data Backup
To ensure the availability of data, both for YCharts and YCharts’s customers, complete backups are performed daily to assure that data remains available when it’s needed and in the case of a disaster. YCharts stores customer data in a secure production account in AWS, using a combination of RDS, Elasticache, and S3 databases. By default, Amazon S3 provides durable infrastructure to store important data and is designed for durability of 99.999999999% of objects.
Data Encryption
To protect the confidentiality, integrity, authenticity, and nonrepudiation of information, YCharts utilizes cryptographic controls to ensure our client data is always encrypted at rest and in transit. All external data transmission is encrypted end-to-end using AES-256 256-bit keys managed by YCharts. This includes, but is not limited to, cloud infrastructure, third-party vendors, and applications. All internet and intranet connections are encrypted and authenticated using TLS 1.2, this includes using a strong protocol, a strong key exchange, and a strong cipher.
Data Protection
YCharts uses AWS ClouldWatch, Datadog, and PagerDuty to monitor the entire cloud service operation. If an alert is triggered, key personnel are notified by text, chat, and/or email message in order to take appropriate corrective action. YCharts uses a security agent to monitor production systems. The agents monitor system activities, generate alerts on suspicious activities, and report vulnerability findings to a centralized management console.
Data Subject Request
YCharts has extended its Data Protect and Privacy commitment to ensure we meet State and International regulatory guidelines. We have provided enhanced protection of personal data for data subjects of relevant States and Countries.
If you have any questions or requests related to your Personal Information as a Data Subject, your right to request to view your Personal Information, or delete your Personal information please see our Data Subject Page or reach out directly to our Data Protection Officer via dataprotection@ycharts.com.
Business Continuity and Disaster Recovery
YCharts leverages Amazon Web Services (AWS) for hosting its production and staging environment. Data is replicated across multiple US region availability zones for redundancy, disaster recovery, and to ensure high availability for our users. YCharts has policies and procedures in place to ensure that we continue to provide critical services in the disruption resulting from a disaster.
Risk and Vulnerability Management
In an effort to stay ahead of the ever-changing security landscape, YCharts conducts an annual Penetration Test of our web application (View a copy here). Identified vulnerabilities are prioritized and remediated based on severity and business impact.
YCharts conducts monthly scans of our production application for vulnerabilities to identify potential vulnerabilities that could impact our systems. In addition, members of the Security Committee meet to proactively search for and act upon security bulletins and alerts that are applicable to the company’s IT infrastructure. All vulnerability findings must be reported, tagged, and tracked to resolution in accordance with the SLAs defined.
Responsible Disclosure
YCharts hosts a bug bounty program to allow for the reporting and disclosure of vulnerabilities discovered by external entities. This program assists in identifying and resolving vulnerabilities and flaws before they can be exploited.
Secure Software Development
YCharts has implemented policies, procedures, and processes to provide guidance to support the approval, planning, and life-cycle development of YCharts software systems aligned with the Information Security Program. YCharts has established and maintains processes for ensuring that its computer applications and systems follow an SDLC process that is consistent and repeatable, and maintains information security at every stage.
System Access Control
Access to YCharts systems and applications is limited for all users, including but not limited to workforce members, volunteers, business associates, contracted providers, and consultants. Access by any other entity is allowable only on a minimum necessary basis. All users are responsible for reporting an incident of unauthorized use or access to the organization’s information systems. All access to YCharts systems and services is reviewed and updated on a monthly basis to ensure proper authorizations are in place commensurate with job functions. Access to YCharts Production and Staging environments requires strong multi-factor authentication and VPN access.
Information Security
YCharts’ Information Security Policy has been developed to establish a general approach to information security and the minimization of information misuse, compromise, or loss; document security processes and measures; uphold ethical standards and meet the company’s regulatory, legal, contractual, and other obligations; control business risk; and ensure that the appropriate company image and reputation are presented. (View a copy of our Information Security Policy here)
Incident Response
YCharts has implemented policies, procedures, and processes to establish controls to ensure the detection of security vulnerabilities and incidents, as well as quick a reaction and response to security breaches.
Compliance Certifications
Data security is a top priority at YCharts. Our security and compliance team is dedicated to creating and maintaining secure systems, processes, and controls at every level of the company. YCharts complies with SOC 2 Type I & Type II standards as set forth by the American Institute of Certified Public Accounts (AICPA).
Vulnerability Disclosure Program
We value and encourage input regarding security vulnerabilities that may impact our website and web application. To facilitate secure and efficient reporting, YCharts has partnered with BugCrowd to manage submissions. Our team, in collaboration with BugCrowd’s security and compliance experts, will review and respond to valid reports within 30 business days of submission using the form below or email submissions to ycharts-vdp-ess@submit.bugcrowd.com.
Program Scope
We focus on addressing vulnerabilities that pose a genuine risk to our website, web application, and users. Please note that the following items are considered out of scope for this program:
Out of Scope:
- Denial of Service (DoS) attacks
- Brute force attacks
- Automated vulnerability scanning tools or scripts
- Attacks requiring Man-in-the-Middle (MITM) techniques or physical access to user devices
- Vulnerable libraries without a working Proof of Concept (PoC)
- Social engineering attacks, including but not limited to:
- • Phishing
- • Email authentication vulnerabilities (e.g., SPF, DKIM)
- • Hyperlink injection in emails
- Public zero-day vulnerabilities with official patches released within the last month
- Known public files or directories (e.g., robots.txt)
- Issues requiring unlikely user interaction
- Vulnerabilities specific to subpages of the go.ycharts.com domain
- Issues affecting users of outdated or unpatched browsers
We appreciate your understanding and adherence to the program’s scope. For any valid findings, your contributions will help us maintain the security and reliability of our platform.