Data Security Policy
Effective Date: November 25, 2025 | Last Updated: November 25, 2025
Security is at the core of everything we do. We are committed to protecting your data with enterprise-grade security measures and industry-leading practices.
1. Introduction
WiseYield ("we," "us," or "our") takes data security seriously. This Data Security Policy outlines the technical, administrative, and physical safeguards we implement to protect your personal and agricultural data from unauthorized access, disclosure, alteration, or destruction.
This policy applies to all data processed by WiseYield, including personal information, farm data, and system information. It complements our Privacy Policy and Terms of Service.
2. Security Framework
Our security program is built on industry-recognized frameworks and best practices:
- ISO 27001: Aligned with Information Security Management System (ISMS) best practices
- NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover
- OWASP Top 10: Web application security best practices
- GDPR & CCPA: Data protection and privacy compliance
3. Technical Security Measures
Encryption
- In Transit: TLS 1.3 encryption for all data transmission
- At Rest: AES-256 encryption for stored data
- Database: Encrypted databases with column-level encryption for sensitive fields
- Backups: Encrypted backup storage
- Keys: Hardware Security Modules (HSM) for key management
Access Control
- Authentication: Multi-factor authentication (MFA) required for all accounts
- Authorization: Role-Based Access Control (RBAC)
- Principle of Least Privilege: Minimal access rights
- Session Management: Automatic session expiration after inactivity
- Password Policy: Strong password requirements, bcrypt hashing
Infrastructure Security
- Cloud Provider: Hosted on SOC 2 Type II certified cloud infrastructure (Vercel, Neon, Upstash)
- Network Segmentation: Isolated production, staging, development environments
- Firewalls: Web Application Firewall (WAF) and network firewalls
- DDoS Protection: Cloudflare Enterprise protection
- Intrusion Detection: Real-time threat monitoring (IDS/IPS)
Monitoring & Logging
- 24/7 Monitoring: Continuous security event monitoring
- Audit Logs: Comprehensive logging of all system access and changes
- SIEM: Security Information and Event Management system
- Log Retention: Logs retained for 1 year minimum
- Anomaly Detection: AI-powered threat detection
Application Security
- ✓ Input validation and sanitization
- ✓ SQL injection prevention (parameterized queries)
- ✓ Cross-Site Scripting (XSS) protection
- ✓ Cross-Site Request Forgery (CSRF) tokens
- ✓ Secure headers (CSP, HSTS, X-Frame-Options)
- ✓ API rate limiting and throttling
- ✓ Regular dependency updates and vulnerability scanning
- ✓ Secure coding practices (OWASP guidelines)
4. Administrative Security Measures
4.1 Employee Security
- Background Checks: Pre-employment screening for all employees
- Security Training: Mandatory security awareness training for all staff
- Confidentiality Agreements: NDAs and data protection agreements
- Access Reviews: Quarterly access rights reviews
- Offboarding: Immediate access revocation upon termination
4.2 Vendor Management
- Due Diligence: Security assessments for all third-party vendors
- Data Processing Agreements (DPAs): GDPR-compliant contracts
- Regular Audits: Periodic vendor security reviews
- Subprocessor List: Maintained and publicly available
4.3 Incident Response
- Incident Response Team (IRT): Dedicated security response team
- Playbooks: Documented procedures for common security incidents
- Response Time: Critical incidents addressed within 1 hour
- Post-Incident Review: Root cause analysis and remediation
5. Physical Security
While WiseYield leverages cloud infrastructure, our office and data center security includes:
- Data Centers: Tier III/IV facilities with 24/7 security guards
- Access Control: Biometric authentication and badge systems
- Surveillance: CCTV monitoring and recording
- Environmental Controls: Fire suppression, climate control, redundant power
- Secure Disposal: Certified data destruction for decommissioned hardware
6. Data Backup and Recovery
Backup Strategy
- Frequency: Continuous incremental backups, daily full backups
- Retention: 30-day rolling window, monthly archives for 1 year
- Geographic Redundancy: Backups stored in multiple regions
- Encryption: All backups encrypted at rest
- Testing: Monthly disaster recovery drills
- RTO/RPO: Recovery Time Objective: 4 hours | Recovery Point Objective: 1 hour
7. Security Testing and Audits
Regular Testing
- • Quarterly penetration testing by third-party firms
- • Weekly automated vulnerability scans
- • Annual security audits (working toward SOC 2 Type II compliance)
- • Continuous code security analysis (SAST/DAST)
Bug Bounty Program
We operate a responsible disclosure program. Security researchers are encouraged to report vulnerabilities:
8. Data Breach Notification Procedures
In the unlikely event of a data breach affecting personal information:
Our Commitment
- Within 72 hours: Notify affected users and relevant supervisory authorities (GDPR requirement)
- Transparency: Provide clear information about the nature of the breach, affected data, and potential risks
- Remediation: Detail steps taken to contain the breach and prevent recurrence
- Support: Offer identity protection services if applicable
To report a suspected security vulnerability, contact us immediately at security@wiseyield.co.
9. Compliance and Certifications
WiseYield is committed to meeting recognized security and privacy standards:
GDPR
EU Data Protection
CCPA
California Privacy
SOC 2 Type II
Following SOC 2 standards
10. Your Security Responsibilities
Security is a shared responsibility. You can help protect your account by:
- Using strong, unique passwords (minimum 12 characters with mixed case, numbers, symbols)
- Enabling multi-factor authentication (MFA)
- Keeping your password confidential and not sharing account access
- Logging out after using shared devices
- Reporting suspicious activity immediately
- Keeping your contact information up to date
- Reviewing account activity regularly
- Using secure, updated browsers and operating systems
11. Reporting Security Issues
If you discover a security vulnerability or suspect unauthorized access:
🔒 Security Team
Email: security@wiseyield.co
Response Time: Critical issues addressed within 1 hour, other reports within 24 hours
Please do not publicly disclose security vulnerabilities until we have had a chance to investigate and remediate.
12. Policy Updates
This Data Security Policy may be updated to reflect changes in our security practices, technology, or regulatory requirements. Material changes will be communicated via email or prominent notice. The "Last Updated" date indicates the most recent revision.
13. Contact Us
For questions about our security practices: