Trust in Yubico
Trust is earned through transparency and integrity. Yubico, founded in 2007, helped build open standards like the Fast Identity Online (FIDO) standard in collaboration with industry-leading organizations and companies. The information provided here is intended to provide transparency in how we approach security and privacy so that we may earn your trust.
Supply Chain
Yubico’s hardware-backed authenticators rely on a global supply chain. We source our most sensitive component, the secure element, from a trusted and industry-leading vendor. Sensitive operations, like programming, take place at our facilities in Sweden and the United States. We also built a robust chain of trust that starts with our vendor assurance program and ends with programmatic validation of components. Additional information about our secure manufacturing practices can be found below.
Product security
Security is embedded in our software and hardware development lifecycle at Yubico. Our engineering teams employ secure development practices that include security training, design reviews and threat modeling. Our security team provides automated static and dynamic analysis and performs a manual code review and penetration test for major releases. We also work with trusted and independent third parties to review the security of our products and services.
Yubico’s security team also triages and responds to vulnerability reports and publishes security advisories.
Data Security & Privacy
Data Protection
Our customers’ data is important. Although the amount of data we handle is minimal, the type is sensitive and important. Data is protected throughout its lifecycle using industry best practices. Yubico uses a carefully selected range of methods to protect the information we store, including disk encryption, Pretty Good Privacy (PGP), Hardware Security Modules (HSMs), and a variety of platform security solutions offered by Google Cloud Platform (GCP), and Amazon Web Services (AWS).
Transport Layer Security (TLS) is used for encryption to protect information in transit. Where possible, TLS connections are mutually authenticated, to ensure that the identity of both the server and the client are verified prior to allowing access to that data. Multi Factor authentication with YubiKeys is used anywhere an employee can interact with systems handling customer data.
Yubico also uses shared responsibility and least privilege models to minimize the opportunities for abuse and unauthorized access. Administrative actions are immutably logged in a central location and monitored by multiple groups within Yubico. Alerts are used to report on anomalies and reviewed by Yubico’s operations and security team.
Privacy
Your privacy is important to us. We always strive to minimize the information we collect and remove that information when it is no longer required. We also limit where this information is stored and who has access to it.
Our practices comply with General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), in addition to other legal requirements. Details about our privacy practices can be found at https://www.yubico.com/support/terms-conditions/privacy-notice/.
Data Retention & Removal
Yubico retains data only as long as necessary to operate our business and to comply with statutory and regulatory requirements. We do not use this data for any purposes other than the purpose for which it was collected to begin with.
Yubico follows NIST 800-88 to sanitize or destroy physical media.
Physical Security
Yubico’s services are deployed across cloud services providers and colocation facilities for YubiHSM-backed services.
We secure our colocated infrastructure in locked cages monitored 24x7x365. Access to these data centers requires two-factors of authentication at a minimum. Our colocation vendors publish a SOC-1 Type II report that attests to their ability to physically secure our infrastructure. Only Yubico personnel and employees of the colocation vendors have physical access to this infrastructure.
For our cloud services, we use Google Cloud Platform (GCP) and Amazon Web Services (AWS). Google and Amazon have both undergone multiple certifications that attest to their ability to physically secure Yubico’s services. You can read more about Google Cloud Platform’s security here and Amazon Web Services’ here.
Access to Yubico’s key programming facilities is restricted to only the Yubico personnel that require access. Access is logged and monitored.
SOC 2 Type II
The SOC 2 Type II is an attestation by a third party that validates the requirements and guidance for reporting on controls at a service organization relevant to an organization’s internal control over information security. By engaging an independent CPA to examine and report on a service organization’s controls, service organizations can obtain an objective evaluation of the effectiveness of controls that address operations and compliance.
Yubico successfully completed a SOC 2 Type II examination, conducted by Schellman & Company, LLC, for YubiEnterprise Services, encompassing YubiEnterprise Delivery and YubiEnterprise Subscription. The examination reviewed the security controls for YubiEnterprise Services and found them to be “suitably designed” and “operated effectively”. The effort to complete the SOC examination represents a maturity milestone for Yubico and its service offerings. With it, Yubico continues operations as responsible stewards of our customers’ sensitive data while providing best of class services.
Additional annual third-party penetration tests and code reviews are conducted on Yubico Enterprise Services to ensure the security and resilience of the service.