Trust centre

Security claims should map to verifiable controls

This page separates controls visible in the application from planned safeguards and details that must be confirmed for the production environment. It does not imply certification or guaranteed protection from incidents.

01
Identity

Sessions · credentials · role controls

02
Application

Validation · rate limits · audit events

03
Data

Encryption · retention · backups

04
Infrastructure

Network boundaries · secrets · monitoring

Control register

Current status, without borrowed certainty

The stack visual groups the control areas a production service should address. The register below is the status statement; visual labels alone are not claims of implementation.

Implemented in the application

  • Authenticated account and session controls
  • Protected access to account-scoped application routes
  • Server-side handling of service credentials and secrets

Planned or environment-dependent

  • Role and organisation access beyond current account controls
  • Expanded security-event monitoring and audit coverage
  • Documented backup, recovery and incident-response exercises

Production disclosure required

  • Hosting region, infrastructure boundaries and relevant subprocessors
  • Encryption-at-rest, retention and backup details for each production store
  • AI prompt routing, logging, retention and deletion behaviour

Control stack

Defence is layered

Identity, application, data and infrastructure controls address different failure modes. A control is meaningful only when configured, monitored and tested in the environment where users rely on it.

Identity

Sessions, credential handling, account recovery and least-privilege access.

Application

Input validation, service authorization, rate limits and security-relevant events.

Data

Purpose limitation, retention, encryption, backup and deletion behaviour.

Infrastructure

Secret management, network boundaries, monitoring, patching and recovery.

Incident readiness

Detect, contain, communicate, recover

Production readiness should define ownership, investigation, containment, user communication, restoration and post-incident improvement. Recovery objectives and notification commitments should not be invented before they are approved and tested.

Claims boundary

No certification by implication

Yugalinks does not claim “bank-grade” security, immunity from incidents, or certifications and compliance status not explicitly published with evidence. This page should evolve as production controls are verified.

Need a control clarified?

Contact Yugalinks for the currently available security and data-handling information.