Security at Yottaa

• Updated on Jul 14, 2025
• Published on Jul 10, 2025

Yottaa’s Promise

At Yottaa, we take the security and privacy of your data seriously. As an eCommerce site speed and performance solution, we know that securing shopper, site, and application data is foundational to delivering fast and reliable digital storefronts. We understand that when you trust us with your website performance optimization, you’re also trusting us with sensitive information about your users and your business.

What We Do

Yottaa optimizes your website’s performance through our Real User Monitoring (RUM) technology. We collect data about how real users experience your website to help you identify and fix performance issues that could be impacting your business. Performance insights depend on data, and we treat every interaction with the rigor required to protect shopper trust and business continuity.

What Data We Collect

Through our RUM technology, we collect:

• User interactions and browsing behavior
• Session metrics and performance data
• Page load times and resource loading patterns
• Conversion events and revenue
• Cache management data

Any personally identifiable information (PII) such as names, email addresses, or other personal details about your website visitors that may be captured is masked, encrypted, and deleted when technically feasible.

For detailed information about our data collection practices, please see our Privacy Policy.

How We Protect Your Data

Infrastructure Security

We use reputable cloud providers with robust security measures to host our production infrastructure. Our systems run on secure, encrypted environments with multiple layers of protection.

Data at rest is encrypted using industry-standard AES-256 encryption. All data in transit is protected using encryption protocols to ensure information cannot be read or modified without authorization.

Access Controls

We follow the principle of least privilege – team members only have access to the data and systems they need to do their jobs. All access is authenticated and regularly reviewed.

We use multi-factor authentication (MFA) wherever possible and maintain strict password security standards. User account passwords are stored using cryptographic hashing and salting.

Network Security

Our network infrastructure includes:

• Secure network perimeters with regularly updated firewalls
• Network segmentation to isolate different environments
• Intrusion detection systems to monitor for threats
• DDoS protection through AWS Shield

Monitoring and Detection

We continuously monitor our systems for security threats and unusual activity. Our team uses automated tools and manual processes to detect and respond to potential incidents quickly.

All system activities are logged and regularly analyzed. We maintain comprehensive audit logs to track access and changes to our systems.

Data Handling and Retention

We classify all data as either Public or Sensitive, with Sensitive being the default classification. All customer data is treated as Sensitive and handled accordingly. You can find details about our data classification and handling requirements in our Acceptable Use Policy.

We maintain clear data retention policies and only keep data for as long as necessary to provide our services. When data is no longer needed, it’s securely deleted according to our established procedures.

We will never sell or transfer your sensitive data to third parties without your explicit consent. Our full data handling practices are outlined in our Privacy Policy.

Product Security

Secure Development

Our development process includes:

• All code is stored in secure, access-controlled repositories
• Code reviews are required before any changes go to production
• We use separate development, testing, and production environments
• Regular security testing, including annual third-party penetration testing

Vulnerability Management

We actively monitor for security vulnerabilities in our systems and third-party components. Security patches are prioritized and applied as quickly as possible.

We use automated tools to identify vulnerabilities in open-source components and maintain an inventory of all third-party software we use.

Partner Services Security

Through our product partnerships, we offer additional services that enhance your website’s security and performance. When you choose these services, you benefit from the security standards maintained by our trusted partners:

Fastly Edge Cloud Services

We offer Fastly Edge Cloud services to amplify content delivery and reduce latency for your website. When you use Fastly services through our platform, your data is subject to Fastly’s security practices and standards.

For detailed information about Fastly’s security practices, please visit their Trust Center.

HUMAN’s Defense Platform Services

We offer Human’s Defense Platform services to provide advanced protection against sophisticated threats. Yottaa’s experts carefully orchestrate these security measures to safeguard your site from attacks while maintaining optimal performance. When you use Human services through our platform, your data is subject to Human’s security and privacy standards.

For more information about Human’s data security and privacy practices, please visit their Data Security and Privacy FAQ.

Compliance and Standards

Yottaa maintains compliance with industry standards and regulations:

• ISO 27001:2022 – We follow ISO 27001 standards for information security management

• GDPR – We comply with European data protection regulations

• CCPA – We meet California privacy law requirements

We undergo regular security audits and assessments to verify our compliance with these standards.

Incident Response

We maintain a comprehensive incident response plan that’s tested annually. If a security incident occurs, we have procedures in place to:

• Quickly contain and assess the impact
• Notify affected customers in accordance with legal requirements
• Remediate the issue and prevent future occurrences
• Conduct post-incident reviews to improve our security

Business Continuity

We’ve designed our systems for high availability and maintain disaster recovery procedures to ensure minimal disruption to our services. Our architecture includes redundancy and automated failover capabilities.

Regular backups are maintained for critical data and systems, and we test our recovery procedures to ensure they work when needed.

Third-Party Security

We carefully vet all third-party vendors and service providers. Our vendor agreements include security requirements and data protection clauses.

We maintain an inventory of all vendors and conduct annual reviews to ensure they continue to meet our security standards. You can find our current list of subprocessors here.

Team Training and Awareness

All Yottaa team members receive regular security training, including:

• Security awareness training twice per year
• Annual phishing simulations with follow-up training for those who need it
• Specific training on handling sensitive data and privacy requirements

Our security team stays current with the latest threats and best practices through ongoing professional development. All personnel are required to acknowledge and follow our security policies, including our Acceptable Use Policy.

Physical Security

Our team works with company-issued devices that are encrypted and protected with endpoint detection and response (EDR) software.

We maintain strict policies around the use of company equipment and the handling of sensitive data on personal devices. These policies are detailed in our Acceptable Use Policy.

Reporting Security Issues

If you discover a security vulnerability in our systems, please report it to us immediately at secops@yottaa.com. We take all security reports seriously and will respond promptly.

Questions?

If you have questions about our security practices or need additional information for your security review, please contact our Security and Compliance team at secops@yottaa.com.

We’re committed to maintaining the highest standards of security and privacy to safeguard the trust you place in us. Security isn’t just a feature for us – it’s fundamental to everything we do.