Skip to content
Start Free Trial

Your Data Protection

 

Security & Data Handling

How Yirla keeps your data safe.

A practical guide to our security, privacy, and data handling practices. Whether you're evaluating Yirla or already a customer, this page gives you everything that you need to know.

The Short Version

  • Yirla connects to your ad platforms via secure OAuth2 APIs with read-only access
  • Campaign data is retained for 12 months for audit and debug purposes, encrypted at rest using AES-256
  • No PII is collected, stored, or processed.  Ever
  • Customer data is never used to train AI models
  • Tenant data is fully isolated.  There is no shared query context across customers
  • No standing admin access.  All privileged access is time-bound, MFA-protected, and audited
  • SOC 2 Type I audit is in progress
  • DPA and Mutual NDA available upon request

Data Access

  • Yirla connects to ad platforms via secure, permissioned OAuth2 APIs
  • Access is read-only.  We cannot modify campaigns, bids, budgets, or creatives
  • We ingest advertising performance metadata only: impressions, clicks, spend, creatives, timestamps, and aggregate-level targeting attributes
  • We do not access user-level identifiers, emails, IPs, or LinkedIn member data
  • Customers can revoke access at any time via the underlying ad platform

Data Storage & Retention

  • Raw campaign data is stored immutably for audit and debug purposes with a 12-month default retention period
  • All data at rest is encrypted using AES-256 via AWS-managed KMS keys
  • Customers can request deletion at any time.  Deletes propagate across raw, derived, and backup layers
  • Encrypted backups are stored in separate, access-restricted accounts and tested quarterly
  • Customer-managed encryption keys (CMK) available for enterprise contracts

Data Isolation

  • Data is logically isolated by tenant at every layer: ingestion, storage, query, and application logic
  • There is no shared query context across customers
  • Customer data is never mixed across tenants

AI & Model Usage

  • Customer data is not used to train foundation models or any third-party AI models
  • AI analysis operates on campaign-level signals only.  No PII is involved
  • If a data source unexpectedly includes PII, it is rejected at ingestion

Access Control

  • Role-based access control (RBAC) enforced across the application and infrastructure
  • MFA required for all privileged accounts
  • There is no standing "God mode" access. Privileged access is time-bound and uses break-glass procedures with post-incident review
  • Only a small, role-restricted subset of engineers can access customer data for support or debugging, and only with explicit approval
  • All access is logged
  • Secrets (API keys, tokens) are stored in AWS Secrets Manager, rotated regularly, and never hard-coded or logged

Infrastructure

  • Hosted on Amazon Web Services (AWS), United States
  • Encryption in transit via TLS 1.2+ — including internal service-to-service traffic
  • Centralized logging with immutable audit logs (AWS S3 with Object Lock — WORM storage)
  • Infrastructure activity logs via AWS CloudTrail
  • Security monitoring and alerting via AWS GuardDuty
  • Network egress is restricted and anomalous access patterns trigger real-time alerts

Sub-Processors

Sub-processor Purpose
Amazon Web Services (AWS) Primary infrastructure, hosting, encryption, logging, and monitoring
Google AI model processing and analysis

Compliance & Certifications

  • SOC 2 Type I audit is in progress
  • Architecture is GDPR and CCPA aligned — PII-free by design
  • Permission-based access and activity logging provide audit readiness for internal security reviews
  • Security reviews supported upon request

Documents

DPA and Mutual NDA are available for vendor evaluation. Email hello@yirla.com to request either document or with any additional security questions.

Frequently Asked Questions

What customer data does Yirla collect? Advertising performance metadata only — impressions, clicks, spend, creatives, and aggregate targeting attributes. No PII, user-level identifiers, emails, or IPs.

Do you store raw data? Yes. Raw data is stored immutably for audit and debug purposes with a 12-month default retention period. All stored data is encrypted using AES-256.

Is any PII stored or processed? No. Yirla's data model is explicitly PII-free. If a source unexpectedly includes PII, it is rejected at ingestion.

Is customer data ever mixed across tenants? No. Data is logically isolated by tenant at every layer — ingestion, storage, query, and application logic.

Do you train AI models on customer data? No. Customer data is never used to train foundation models or third-party AI models.

Can Yirla write back to our ad platforms? No. Yirla is read-only. We cannot modify campaigns, bids, budgets, or creatives.

What happens if our credentials are compromised? Credentials are scoped read-only and can be revoked instantly. A compromise does not expose PII or cross-tenant data.

Are you SOC 2 certified? Not yet — SOC 2 Type I is in progress. We support security reviews upon request and can provide documentation to assist with your vendor evaluation.

Do you offer a DPA or NDA? Yes. Email hello@yirla.com to request either.

Do you support security reviews? Yes. Email hello@yirla.com and we'll get you what you need.

Questions not covered here? Email hello@yirla.com

 

Stop Guessing, Start Knowing

Start your 30-day free trial
llms.txt