Security

Security & Compliance

We make every effort to ensure your security and protect your data.

Please contact us with any questions or issues. Find details on our security, compliance, and data protection policies below.

At Yardstik, security is built into everything we do. Our Software Development Lifecycle brings security into the Define, Design, Build, and Deployment phases. We take an iterative approach to Software Development and during development cycles we include security and feature enhancements, ensuring that we are maintaining a constant stream of improvements in our platform.

Software patches are released as part of our Continuous Integration (CI) process. Our CI process code is tested and scanned before it makes it to our production environments. Vulnerability scans are run against all applications to ensure they protect against OWASP top 10 and other prominent security vulnerabilities. Package scanning is used to validate that all code libraries and system/container packages are free of insecurities.

Yardstik uses a layered encryption approach. All network traffic must use TLS with a minimum version and cipher suite that removes unsafe protocols. Data volumes used to store any business data or PII are required to be encrypted. All PII and sensitive data stored in the production database is encrypted at the column level. Coupled with Role-Based Access Controls in the application, this ensures that only authorized personnel has access to see customer data, and only what they need to see in order to perform their job function.

For our internal systems and integrations, we leverage SSO and Multi-Factor Authentication wherever possible and access is reviewed quarterly to ensure that access is appropriate for the role.

All Yardstik employees take regular security and privacy awareness training that blends security into technical and non-technical roles. All Engineers are required to have training on OWASP Top 10 security. These training sessions are a part of our onboarding process and are refreshed at least annually after that.

Physical Security

Yardstik production infrastructure is hosted in trusted Cloud Provider facilities. Physical and environmental security-related controls follow the AWS Shared Security Model and ensure that access to DataCenters is restricted to authorized personnel at the entry and building entrances by professional security staff.

Decommissioning hardware is managed by our infrastructure provider using a process designed to prevent customer data exposure. AWS uses techniques outlined in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data. For additional information see AWS Security.

Corporate facilities are leased in a shared building with access restricted at the building entrance and into the Yardstik office area. Badges must be scanned to gain entrance, and Role-Based Access Controls ensure that only authorized personnel has access to specific sections of the office. All visitor access is logged and recorded, and all entrances have video cameras and recordings are logged to servers and saved in a restricted room.

Yardstik is committed to privacy and provides a high standard of privacy protection to all our consumers and customers. We apply stringent individual privacy protections for all candidates and account users, and work to ensure that the data we collect is used only for its intended purposes.

Yardstik utilizes enterprise-grade best practices to protect our customers’ data, works with independent experts to verify its security and compliance controls, and has achieved a SOC 2 report against stringent standards.

SOC 2 Report

We work with an independent auditor to maintain a SOC 2 report, which objectively certifies our controls to ensure the continuous security of our customers’ data.

Developed by the Assurance Services Executive Committee (ASEC) of the AICPA, the Trust Services Criteria is the set of control criteria to be used when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems at an entity, a division, or an operating unit of an entity.

Continuous Security Control Monitoring

Yardstik uses Drata’s automation platform to continuously monitor 100+ security controls across the organization. Automated alerts and evidence collection allow Yardstik to confidently prove its security and compliance posture any day of the year while fostering a security-first mindset and culture of compliance across the organization.

Yardstik utilizes enterprise-grade best practices to protect our customers’ data, works with independent experts to verify its security and compliance controls, and has achieved a SOC 2 report against stringent standards.

Employee Trainings

Security is a company-wide endeavor. All employees complete an annual security training program and employ best practices when handling customer data.

Penetration Tests

Yardstik works with industry-leading security firms to perform annual network and application layer penetration tests.

Secure Software Development

Yardstik utilizes a variety of manual and automatic data security and vulnerability checks throughout the software development lifecycle.

Data Encryption

Data is encrypted both in transit using TLS and at rest.

Vulnerability Disclosure Program

If you believe you’ve discovered a bug in Yardstik’s security, please get in touch at security@yardstik.com. Our security team promptly investigates all reported issues.

Yardstik operates in compliance with all governing laws and regulations applicable to Consumer Reporting Agencies (CRA).

Background Screening for employment purposes is governed by the Fair Credit Reporting Act (FCRA) and applicable state laws. Under the FCRA, employment purposes cover independent contractors, volunteers, and internships.

There are also many states that have separate state laws in addition to the FCRA. There are also states/cities that have enacted ban-the-box laws to aid in compliance with the Equal Employment Opportunity Commission (EEOC).

PBSA Accreditation

Yardstik was awarded the Professional Background Screening Association (PBSA) accreditation in July of 2022. This accreditation is valid for 5 years before renewal.

PBSA accreditation is considered the ultimate classification for Consumer Reporting Agencies (CRA) and is a globally recognized seal of approval. It entails a thorough 3rd-party audit of policies, procedures, and documentation.

PBSA accreditation maintains compliance standards in the following areas:

  • Information Security
  • Legal and Compliance
  • Client Education
  • Researcher and Data Standards
  • Verification Service Standards
  • Business Practices

Even though Yardstik works tirelessly to ensure our product is secure and safe, you may have concerns or questions. If you have a security question or concern, you may reach out to security@yardstik.com. Our security team will respond within 24 hours.

If you discover a technical issue or have more general questions, contact our support team at support@yardstik.com.