Cookie preferences

YARDtwin uses essential cookies for authentication and session management. We don’t currently set analytics or marketing cookies, but our cookie policy categorises them ahead of any future change. Read our Privacy Policy, GDPR Policy, and Cookie Policy.

Security at YARDtwin

How we protect customer data, keep the platform available, and stay compliant with EU GMP Annex 11, 21 CFR Part 11, and GDPR.

Score 4.8/5.00 pentest findingsEU/EEA data residencyGDPR compliant

Platform & hosting

YARDtwin runs on Microsoft Azure with Norway East compute and Sweden Central for data, registry, and secrets. All customer data stays within the EU/EEA, compliant with GDPR Articles 44–49.

App Service (Linux Container) — Norway East
Azure PostgreSQL Flexible Server — Sweden Central
Azure Blob Storage — Norway East, private containers
Azure Key Vault — Sweden Central, RBAC-controlled
Azure Front Door + WAF — Prevention mode
Log Analytics + Microsoft Sentinel — 90-day retention

Network & transport security

Control	Implementation	Status
TLS	TLS 1.3 with AES-256-GCM via Azure	Verified
WAF	Azure Front Door WAF (Prevention mode)	Active
HSTS	2-year max-age with preload	Verified
HTTPS-only	App Service enforced	Verified
DB firewall	Azure-only + admin IP allowlist	Verified

Authentication & access control

Control	Implementation	Status
Password policy	8+ chars, upper, lower, number, special	Enforced
Breach check	HIBP k-anonymity lookup on signup / change	Active
MFA	TOTP (Google/Microsoft Authenticator)	Available
SSO/SAML	SAML 2.0 (Azure AD, Okta, Google Workspace)	Active
Brute force	5 attempts, 15-min lockout (429)	Active
JWT tokens	1-hour access, 7-day refresh	Active
RBAC	8 roles with route-level enforcement	Active
Tenant isolation	Every query filtered by tenant_id	Verified

Data protection

Control	Implementation	Status
Encryption at rest	Azure PostgreSQL AES-256	Active
Encryption in transit	TLS 1.3	Active
Password hashing	bcrypt (12 rounds)	Active
Parameterized SQL	154 queries, 0 concatenation	Verified
Secrets	Azure Key Vault	Active
Audit trail	Append-only, ALCOA+ compliant	Active

Content Security Policy

Strict CSP with per-request nonces on scripts (no unsafe-inline). Full set of security headers returned on every response: HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy.

Testing & validation

Independent penetration testing on 17–18 April 2026 (10 OWASP categories, 36 payloads): 0 vulnerabilities.Functional security testing on 11 April 2026 covering 1,890+ API calls across 270 appointments: 0 failures.Annual third-party pentest scheduled and SOC 2 Type II audit in progress.

Compliance

EU GMP Annex 11 — Data integrity (ALCOA+), append-only audit trail, electronic records, access control, validated
21 CFR Part 11 — Electronic records, audit trail, attribution, seal chain of custody
GDPR — Data portability (JSON + CSV), DSAR workflow, consent tracking, EU/EEA-only residency
SOC 2 Type II — Audit in progress

Documents & templates

Data Processing Agreement (DPA) template — for enterprise review & signature
GDPR policy
Privacy policy
security.txt

Responsible disclosure

We welcome reports from security researchers. Email admin@yardtwin.comwith a description of the finding and steps to reproduce. We acknowledge receipt within 2 business days and aim to patch critical issues within 7 days. Please do not publicly disclose vulnerabilities before we have had a chance to remediate.

Last updated: April 2026 · yardtwin.com

Hi there! Start your free trial in 2 minutes — I'll help you set everything up!