Yathit - Security

Yathit login server uses Google OAuth user authentication and do not have access to your user password. We use browser direct authentication to your Sugar instance and password is never send to Yathit server.
HTTP Strict Transport Security which declares that complying web browsers are to interact with Yathit using only secure HTTPS connections.

If you're installing Yathit Browse Extension, you'll see a notice about granting Yathit permission to run on two specific domains: mail.google.com and www.yathit.com which enables Yathit to run securely inside Gmail.
We do not request all web site data permission.

Please notes:

We can’t do anything you can’t do. For example, if you don’t have access to edit Contacts in Sugar, you won’t be able to edit a Contract record in Yathit.
We can do almost everything you can do. If you can see every Account in Sugar, our API access gives us the ability to search every Account on your behalf.

User profile information (name, email address, etc.)
OAuth refresh tokens store in Google appengine Datastore.
As you use Yathit, we optionally collect data about the features in use. We use this data to populate your Yathit Dashboard, assist with customer support, and plan for future features.

All interaction between Yathit and third-party platforms occurs over a secure HTTPS connection.

We host our systems on industry-leading cloud infrastructure services with Google Appengine.
Access to the Google Cloud console is limited to the Operation Team and authentication require 2FA.
Google Cloud Platform has annual audits for the following standards:
- SSAE16 / ISAE 3402 Type II: SOC 2/Soc 3
- ISO 27001, one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO 27001 certification for the systems, applications, people, technology, processes and data centers serving Google Cloud Platform.
- ISO 27017, Cloud Security, This is an international standard of practice for information security controls based on ISO/IEC 27002 specifically for cloud services.
- ISO 27018, Cloud Privacy, This is an international standard of practice for protection of personally identifiable information (PII) in public clouds services.
- FedRamp ATO for Google App Engine
- PCI DSS v3.1
To learn more, see: https://cloud.google.com/security/

We monitor our systems 24/7/365 with several performance measurement with build-in Google cloud monitoring tools.
Should a security incident occur, we will notify affected users of the nature and extent of the breach, and take steps to minimize any damage. There have been no security incidents to date.

Yathit does not rent, sell, trade or disclose your Personal Information to third parties without your consent.
Access to customer data by Yathit employees is limited based on the need to access such data (e.g. to resolve a customer support ticket).
When requested, we will destroy a user’s account, removing all customer data associated with that account.

A cookie is a small amount of data, which often includes an anonymous unique identifier, that is sent to your browser from a web site’s computers and stored on your computer’s hard drive.
Cookies are required to use the Yathit service.

Yathit optionally includes Email Tracking and Link Tracking features. Yathit customers may enable or disable email tracking and link tracking in the Yathit dashboard.
The usage of tracking functionality is consistent with industry standards. If a Yathit customer enables Email Tracking, Yathit embeds a small transparent image pixel in the outgoing email. If the email is opened, Yathit may be able to inform the user about who opened the email, when it was opened, and where it was opened. If Link Tracking is enabled, Yathit re-writes the link URL so that it is trackable. If the link is clicked by the recipient, Yathit may be able to inform the user about who clicked on the link, when it was clicked, and the general location of the visitor when they clicked the link.
Email recipients may block email open tracking via the settings on their email client or by using a pixel-blocking extension.

Updated on July 1, 2019.