AES-256 at rest · TLS 1.2+ in transit
US-hosted · zero cross-border data flow
NIST-aligned controls + incident response
Per-client private model · your data trains yours, nobody else’s
What procurement asks first
Three questions every questionnaire opens with.
Where does the data live?
US-hosted, single region, zero cross-border flow
All infrastructure, data access, and compute is in the United States. We do not move data across borders for any operation, including model inference. Your subprocessor list is short and named on the architecture page.
Who can read it?
Scoped engineering access, audit-logged
Read access to client data is scoped to your agency and to the YG3 engineering team for support. Every access event is logged with the engineer’s identifier and the reason. Audit logs are exportable.
Does it train shared models?
Per-client private model. Your data trains yours.
The AI workers run on infrastructure we control, not on a hosted LLM API where your prompts and outputs join a shared training corpus. Your articles, your contacts, and your attribution data train your model only.
Posture
Eight controls we maintain today.
Encryption
AES-256 + TLS 1.2+
Encrypted at rest. TLS 1.2 or higher in transit. Every endpoint, every storage tier.
Data residency
US-hosted, single region
All infrastructure, data access, and compute in the United States. Zero cross-border data flow.
Identity + access
2FA on every admin account
IAM with unique identifiers, password complexity, password aging, and 2FA for all remote access. Per-user audit trails.
Incident response
NIST-aligned
Detection, triage, containment, remediation, documentation. Aligned with the NIST cybersecurity framework. Tested annually.
AI workforce
Per-client private model
The AI workers run on infrastructure we control. Your data trains your model, never anyone else’s.
Continuity
RPO < 24h · RTO < 2h
Automated daily backups, weekly verification, isolated retention. Disaster recovery plan tested annually.
Monitoring
24/7 observability
Logs, threat detection, and access alerts actively monitored. Reports available on request.
Personnel
Background-checked
All team members and contractors pass comprehensive background checks before access is granted. Mandatory security training semi-annually.
If you find something
The disclosure process.
1
Email security@yg3.ai.
Include the vulnerability, the reproduction steps, and any logs you have. PGP key available on request.
2
We acknowledge within 24 hours.
You get a tracking ID, a named owner, and a target remediation window based on severity.
3
Public credit when fixed.
If you want it, you’re named in the disclosure log. Bounty paid for high-severity findings per the program scope.
What we don’t claim
Frameworks we have not yet been audited against.
SOC 2
Not yet audited
We do not claim SOC 2 Type I or Type II compliance. The audit is on the roadmap. We will publish the report when we hold one.
ISO 27001
Not yet audited
We operate against many of the same controls but have not been formally certified. Same posture as above: we’ll publish when we hold the certificate.
HIPAA / PCI
Out of scope today
We do not currently process PHI or take cardholder data on our systems. Payments route through Stripe. If your engagement requires either, talk to us before signing.