Security

Security

Our approach to protecting your data and building trust

Security Overview

At YAVIQ, we take security seriously. We implement industry-standard practices to protect your data, but we believe in being transparent about what we do and don't claim. This page outlines our security approach without overpromising.

We are an early-stage infrastructure SaaS company. We follow security best practices, but we do not currently hold formal compliance certifications like SOC2, ISO 27001, or HIPAA. We are committed to continuous improvement and may pursue certifications as we grow.

Data Handling Principles

Minimal Data Collection

We only collect and process data necessary to provide the Service. By default, we do not store your optimization inputs permanently. Processing is ephemeral unless you explicitly enable logging.

No Model Training

We do not use your data to train AI models. Your inputs are processed for optimization only and are not used to improve our algorithms using your content.

User Data Ownership

You retain full ownership of your data. We process it on your behalf but do not claim ownership or use it for purposes beyond providing the Service.

API Key Safety

YAVIQ API Keys

Your YAVIQ API keys are stored securely using industry-standard hashing. We never display your full API key after creation—only a masked version for identification.

  • API keys are hashed using secure algorithms
  • Keys are transmitted only over encrypted connections (HTTPS)
  • You can rotate or revoke keys at any time from your dashboard

LLM Provider Keys

If you use YAVIQ's optimize-and-run feature, you may provide LLM provider API keys (OpenAI, Anthropic, Google). These keys are:

  • Used only for the specific optimization request
  • Not stored permanently on our systems
  • Transmitted securely to the respective LLM providers
  • Never shared with third parties

Best Practice: We recommend using LLM provider keys with limited scopes and rotating them regularly.

Encryption

Encryption in Transit

All data transmitted between your systems and YAVIQ is encrypted using TLS 1.2 or higher. This includes:

  • API requests and responses
  • Dashboard access
  • SDK communications

Encryption at Rest

Data stored on our systems (account information, usage metadata, logs) is encrypted at rest using industry-standard encryption algorithms.

Access Control

Authentication

We use secure authentication methods:

  • OAuth 2.0 for social login (Google, GitHub)
  • API key authentication for programmatic access
  • Session management with secure tokens

Authorization

Access to your account and data is restricted to:

  • You (the account owner)
  • Authorized team members (if using team accounts)
  • YAVIQ support staff (only when you request assistance)

Internal Access

YAVIQ employees and contractors only access systems and data necessary for their roles. Access is logged and reviewed regularly.

Logging & Monitoring

What We Log

We maintain logs for:

  • API request metadata (endpoint, timestamp, token counts, user ID)
  • Error logs for debugging
  • Authentication and authorization events
  • System performance metrics

Important: By default, we do not log your actual input content unless you explicitly enable logging for debugging purposes.

Monitoring

We monitor our systems for:

  • Unusual access patterns or potential security threats
  • System performance and availability
  • Error rates and anomalies

What We Do NOT Claim

We believe in honesty. Here's what we do not currently have or claim:

  • SOC2 Certification: We do not currently hold SOC2 Type II certification. We may pursue this as we grow.
  • ISO 27001: We do not hold ISO 27001 certification.
  • HIPAA Compliance: We are not HIPAA-compliant. If you need HIPAA compliance, please contact us to discuss options.
  • 100% Uptime Guarantee: We do not guarantee 100% uptime. We strive for high availability but cannot promise perfection.
  • Zero-Liability Security: While we take security seriously, we cannot guarantee absolute security. No system is 100% secure.

What We Do Well

  • Transparent Data Handling: We clearly communicate what data we collect and how we use it.
  • Minimal Data Retention: By default, we don't store your optimization inputs permanently.
  • Encryption: All data is encrypted in transit and at rest.
  • Regular Security Reviews: We conduct regular security assessments and updates.
  • Responsive Security Team: We respond promptly to security concerns and vulnerabilities.

Responsible Disclosure

If you discover a security vulnerability in YAVIQ, we appreciate your help in disclosing it responsibly.

How to Report:

  • Email security details to: security@yaviq.com
  • Include steps to reproduce the vulnerability
  • Allow us reasonable time to fix before public disclosure
  • Do not access or modify data that doesn't belong to you

We will acknowledge receipt within 48 hours and work with you to address the issue. We appreciate security researchers who help us improve.

Security Contact

For security-related inquiries:

Security Issues: security@yaviq.com

General Support: hello@yaviq.com

Privacy PolicyTerms of ServiceContact