Yena is built for agencies handling sensitive candidate and client information every day. Security, privacy, and compliance are embedded into every layer of the Platform. Recruiting data is confidential by nature — from encryption to EU-hosted infrastructure, your ATS and CRM data stays safe, private, and fully under your control.
Operator: SIA "New Tech" (Sabiedrība ar ierobežotu atbildību "New Tech")
Registered Office: Mazā Nometņu iela 31, Rīga, LV-1002, Latvia
Commercial Register (Komercreģistrs): 40203731548
Security contact: [email protected]
Recruitment data is confidential by nature. Yena is designed to handle candidate, client, and user data responsibly, transparently, and securely — aligned with the EU General Data Protection Regulation (GDPR), Latvian data-protection law, and sector-recognised security frameworks.
Yena follows internationally recognised security standards and maintains a comprehensive set of controls, policies, and procedures to protect customer and candidate data. Our program is aligned with ISO/IEC 27001 controls and is operated in conjunction with SOC 2 Type I controls for the services we provide to paying customers.
Yena never uses Client Data — including anonymised or aggregated Client Data — to train, fine-tune, validate, or improve any foundation model, whether operated by Yena, its affiliates, or any third-party provider. The same restriction is imposed by contract on every AI sub-processor used to deliver our AI Features. Your information remains yours and is never repurposed for external AI training.
Yena designs its AI Features consistent with Regulation (EU) 2024/1689 (the EU AI Act). AI outputs are presented as decision support. Human review is required for any decision producing legal or similarly significant effects on a candidate. Where a feature is classified as high-risk under the AI Act, Yena maintains technical documentation, logging, risk management, and human-oversight mechanisms appropriate to that classification.
Yena's primary production infrastructure is hosted within the European Union, in Frankfurt, Germany (AWS eu-central-1). A secondary Postgres database is operated by Supabase in Basel, Switzerland, a jurisdiction recognised by the European Commission as providing an adequate level of protection under Article 45 GDPR.
Daily encrypted database backups are taken automatically and retained for seven (7) days in an EU-hosted backup location. Backups are tested periodically as part of Yena's disaster-recovery program.
Where a limited set of sub-processors operates outside the EEA and no adequacy decision applies, Yena relies on Standard Contractual Clauses (SCCs) under Article 46 GDPR together with supplementary measures — including encryption in transit and at rest, strict access controls, and contractual prohibitions on onward transfer.
All traffic to and from the Yena Platform is encrypted using TLS 1.2 or higher, with modern cipher suites and HSTS enabled. Public endpoints are served exclusively over HTTPS.
Databases, object storage, and backups are encrypted at rest using AES-256 (or equivalent) encryption provided by our cloud infrastructure. Encryption keys are managed by the underlying cloud provider's key-management service and are rotated in accordance with industry best practice.
Only approved End Users can access their workspace. Data is logically isolated per customer tenant, and role-based access controls (RBAC) are enforced at the application layer. Cross-tenant access is prevented by design.
The Platform supports password-based authentication with modern password-strength requirements, and supports Single Sign-On (SSO) for eligible plans. Multi-factor authentication (MFA) is supported and strongly recommended for administrative accounts.
Yena operates on a least-privilege basis. Production access is restricted to named engineers under time-bound, audited access with MFA. Every access event is logged. All employees and contractors are bound by confidentiality obligations and complete security-awareness training on onboarding and periodically thereafter.
Yena actively monitors production systems for availability, integrity, and security anomalies using infrastructure and application logging, audit trails, and runtime error tracking. Alerts are routed to on-call engineers twenty-four hours a day.
Yena maintains a documented incident-response plan. In the event of a personal-data breach, Yena will notify affected customers without undue delay and, where applicable, within the timelines required by Article 33 GDPR. Security incidents or suspected vulnerabilities can be reported to [email protected].
Yena performs regular dependency scanning, automated static analysis, and periodic penetration testing on the Platform. Identified vulnerabilities are triaged by severity and remediated within defined service levels. Responsible-disclosure reports from security researchers are welcome at [email protected]; Yena commits to acknowledge in-scope reports within two (2) business days.
Yena maintains AI governance practices to ensure AI Features are deployed safely, with privacy and accountability at the core. This includes:
Yena engages carefully vetted sub-processors to deliver a secure, reliable service. Each sub-processor is bound by a data processing agreement that requires at least the same level of data protection as Yena's own commitments to its customers, and — for AI sub-processors — an explicit prohibition on training on Client Data. The current list is:
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Vercel Inc. | Web application hosting and content delivery (Website and Platform frontend) | EU (Frankfurt, DE) | N/A — EU region |
| Supabase Inc. | Managed Postgres database (secondary data store for Platform data) | Basel, Switzerland | Switzerland — EU Commission adequacy decision (Art. 45 GDPR) |
| Amazon Web Services EMEA SARL | Primary infrastructure (application servers, object storage, backups) | EU (Frankfurt, DE — eu-central-1) | N/A — EU region |
| OpenAI Ireland Ltd. | Large-language-model inference for AI Features (API tier with zero data retention) | EU (Dublin, IE) | N/A — EU region. API-tier contract prohibits training on Client Data. |
| Anthropic PBC | Large-language-model inference for AI Features (API tier) | United States | Standard Contractual Clauses (Art. 46 GDPR). API-tier contract prohibits training on Client Data. |
| Stripe Payments Europe Ltd. | Payment processing, subscription billing, Stripe Link checkout | EU (Dublin, IE) | Stripe operates primarily in EU for European customers; SCCs for any US transfer of billing metadata. |
| MailerLite Ltd. | Transactional and marketing email delivery | EU (Lithuania) | N/A — EU region |
| Google Ireland Ltd. (Google Analytics) | Website analytics (aggregated, consent-based) | EU | SCCs and supplementary measures for any onward transfer to the US. |
Yena may update this list from time to time. Material changes (addition of a new sub-processor of Client Data) will be notified to customers via the Platform or by email, with a reasonable objection period as set out in the Data Processing Agreement.
Yena retains Client Data in line with the customer's instructions and the Data Processing Agreement. Upon termination of the Agreement, and subject to availability of Yena's systems and to applicable legal and security requirements, the Platform remains available for a period of up to ninety (90) calendar days to allow Client Data export in CSV format. After that period, Client Data is deleted or anonymised in accordance with Yena's retention policy and applicable law.
Customers with specific compliance requirements — including SOC 2, ISO 27001, GDPR, or sector-specific questionnaires — can request security documentation and sub-processor information from [email protected]. Security incidents and responsible-disclosure reports are also handled through that address.
See also: Privacy Policy • Terms and Conditions • GDPR Compliance Guide