Trust & security

Care information deserves care-grade security.

This page is maintained by YolanCare to answer common security and privacy questions about our marketplace. YolanCare is not a home care agency; families and independent caregivers connect through this platform, and we take our role as data custodian seriously.

Encryption in transit and at rest

Every connection to YolanCare uses TLS 1.2 or higher. Data stored in our managed Postgres database and object storage is encrypted at rest with AES-256.

Strong password hashing & leaked-password checks

Passwords are hashed server-side with bcrypt — we never see or store plaintext. New and changed passwords are checked against the Have I Been Pwned database and rejected if they appear in a known breach.

Role-based access control (RBAC)

Roles (family, caregiver, admin) are stored in a dedicated table and enforced by Postgres row-level security. A user cannot escalate their own role, and admins are limited to their assigned scope.

Least-privilege access

Every table enforces row-level security policies scoped to auth.uid(). Public browsing surfaces only approved, non-sensitive caregiver fields; reviewer notes, verification internals and admin metadata live in tables no public reader can touch.

Append-only audit logging

Sensitive actions — role changes, caregiver verification decisions, agreement signatures and booking status changes — are written to an immutable audit log via database triggers. Only admins can read it and no one can edit or delete records.

Secure authentication

Sign-in supports email/password, Google, and optional TOTP two-factor authentication. Sessions time out after 30 minutes of inactivity, and sign-out clears cached data immediately.

Secure Canadian-friendly cloud infrastructure

YolanCare runs on managed cloud infrastructure operated by SOC 2 Type II certified providers, with hardened isolation between projects and continuous vulnerability monitoring.

Automatic backups & disaster recovery

Databases are backed up daily with point-in-time recovery, so we can restore your data quickly in the event of an incident.

Privacy by design

We collect only the information we need to run the marketplace: what families need help with, what caregivers offer, and the messages and bookings between them. We do not sell personal information. We architect our systems to support compliance with applicable Canadian privacy laws — including PIPEDA and provincial equivalents such as Ontario's PHIPA — as the platform grows. Users can request access to, correction of, or deletion of their personal information at any time by contacting our privacy team.

Shared responsibility

  • YolanCare secures the platform, database, authentication and audit trail.
  • Caregivers are independent contractors responsible for their own professional conduct, credentials and any personal health information they receive from a Client.
  • Families are responsible for keeping their account credentials confidential and reviewing the caregiver they choose.

Reporting a security concern

Found a vulnerability, or noticed something that looks wrong? Please email security@yolancare.ca with a clear description and steps to reproduce. We appreciate responsible disclosure and will respond as quickly as we can.

This page describes current practices and is not a certification of compliance with any specific standard. Certification status, if any, will be listed here once granted by an independent auditor.