Security

Sign-in is passwordless. We use Supabase magic-link email auth — no passwords stored, no password-reuse risk. Session cookies are HTTP-only and refreshed on every request through middleware so a leaked session expires on its own cadence.

Admin access to the platform is gated by an explicit email allowlist held in environment configuration. There is no 'forgot password' email path because there is no password.

Tenant workspaces run on AWS in Cape Town (af-south-1). That is where your n8n workflows execute, where your LLM gateway proxies requests, and where the per-tenant virtual key for LLM usage is held.

Account, billing, lifecycle, and form-submission records live in Supabase (managed Postgres). Booking and admin tooling reads from the same project.

Static marketing assets and the application itself are served by Vercel's edge network.

Every public endpoint is HTTPS-only with TLS terminated at Vercel (marketing + portal) or at the per-tenant ingress on AWS (workspace traffic). HSTS is enforced.

Supabase storage is encrypted at rest. AWS-side volumes holding per-tenant n8n state are encrypted with AWS-managed keys.

Secrets — Paystack keys, LiteLLM virtual keys, Supabase service-role keys, webhook signing secrets — live in Vercel and Infisical environments. Nothing sensitive is ever prefixed with `NEXT_PUBLIC_`.

Every inbound webhook is signature-verified before its payload is trusted:

• Paystack — HMAC-SHA512 against the body, using the live secret key.
• Documenso (DPA signing) — HMAC per Documenso's spec, with our per-tenant secret.
• Portal-api ↔ site (provisioning + status) — HMAC-SHA256 over `timestamp.method.path`, with `X-Yielde-Timestamp` and `X-Yielde-Signature`. The same scheme governs the Vercel ↔ n8n hop with `X-Yielde-Tenant`.

A failed signature check returns 401 with no payload echo — the response body is empty so attackers cannot probe their signature attempts against logged content.

Every model call — from your workflows, your voice receptionist, your chatbot, any of it — flows through LiteLLM, our self-hosted gateway. No Yielde process ever calls OpenAI, Anthropic, or any upstream provider directly. The browser never sees an upstream API key.

That gives us four things at once: rotation control (one key change rotates a tenant's access), cost attribution per workflow, model-failover for the few customer-facing surfaces that need it, and a single redaction point if a provider ever changes its terms.

Customer prompts and completions are not used to train any model. We pass them through to the chosen provider — currently the OpenAI gpt-5 family for production work and Anthropic Claude for select tasks — and that is the end of the data's life in our system once the response is delivered.

Each tenant gets a dedicated subdomain (`<slug>.yielde.dev`), a dedicated n8n container, a dedicated LiteLLM virtual key, and a dedicated webhook signing secret. There is no shared workflow runtime — a noisy workflow in one tenant cannot starve another, and a credential leak in one tenant cannot read another's data.

Tenant boundaries are enforced server-side by `lifecycle_state` (the single source of truth for what a logged-in client can see) and by Supabase row-level security on every customer-facing table.

Yielde is the operator of the platform; you remain the responsible party for your customer data. We sign a Data Processing Agreement with every tenant before workspace provisioning — embedded through Documenso, retained in your dashboard.

POPIA Section 19 obligations (integrity and confidentiality of personal information) inform every choice on this page: encryption, signed transport, per-tenant isolation, the LLM gateway, the lifecycle gate.

A small number of family-business pilots are exempted from the DPA gate; they are still required to pass the payment gate, and the carve-out is held in an explicit allowlist in environment configuration, not in code.

The third parties that process customer data on our behalf:

• Supabase — managed Postgres, auth, storage.
• Vercel — hosting and edge delivery.
• AWS (af-south-1, Cape Town) — per-tenant workspace compute and storage.
• Paystack — payment processing.
• Documenso — DPA signing.
• Retell — voice receptionist transport.
• OpenAI and Anthropic — LLM inference, called only through our LiteLLM gateway.
• Cloudflare — DNS.

We update this list before introducing a new subprocessor and surface the change in /changelog.

Honesty matters more than a clean compliance badge. As of today Yielde does not hold SOC 2, ISO 27001, or any equivalent third-party audit attestation. We are a young company shipping fast — that is the right trade-off for our customers right now, and not the right trade-off for every customer. If a formal audit is a hard requirement for you, please tell us up front so we can be straight about timelines.

We also do not run a formal bug-bounty programme yet, although we read and respond to every report. See below.

Email security@yielde.dev with a clear description and reproduction steps. Encrypt the message if you can (PGP key on request).

We acknowledge within 24 hours and aim to triage and respond within 72. We will not pursue legal action against good-faith research disclosed privately and given a reasonable window to remediate before publication.