Encryption in transit and at rest
Every connection to YolanCare uses TLS 1.2 or higher. Data stored in our managed Postgres database and object storage is encrypted at rest with AES-256.
This page is maintained by YolanCare to answer common security and privacy questions about our marketplace. YolanCare is not a home care agency; families and independent caregivers connect through this platform, and we take our role as data custodian seriously.
Every connection to YolanCare uses TLS 1.2 or higher. Data stored in our managed Postgres database and object storage is encrypted at rest with AES-256.
Passwords are hashed server-side with bcrypt — we never see or store plaintext. New and changed passwords are checked against the Have I Been Pwned database and rejected if they appear in a known breach.
Roles (family, caregiver, admin) are stored in a dedicated table and enforced by Postgres row-level security. A user cannot escalate their own role, and admins are limited to their assigned scope.
Every table enforces row-level security policies scoped to auth.uid(). Public browsing surfaces only approved, non-sensitive caregiver fields; reviewer notes, verification internals and admin metadata live in tables no public reader can touch.
Sensitive actions — role changes, caregiver verification decisions, agreement signatures and booking status changes — are written to an immutable audit log via database triggers. Only admins can read it and no one can edit or delete records.
Sign-in supports email/password, Google, and optional TOTP two-factor authentication. Sessions time out after 30 minutes of inactivity, and sign-out clears cached data immediately.
YolanCare runs on managed cloud infrastructure operated by SOC 2 Type II certified providers, with hardened isolation between projects and continuous vulnerability monitoring.
Databases are backed up daily with point-in-time recovery, so we can restore your data quickly in the event of an incident.
We collect only the information we need to run the marketplace: what families need help with, what caregivers offer, and the messages and bookings between them. We do not sell personal information. We architect our systems to support compliance with applicable Canadian privacy laws — including PIPEDA and provincial equivalents such as Ontario's PHIPA — as the platform grows. Users can request access to, correction of, or deletion of their personal information at any time by contacting our privacy team.
Found a vulnerability, or noticed something that looks wrong? Please email security@yolancare.ca with a clear description and steps to reproduce. We appreciate responsible disclosure and will respond as quickly as we can.
This page describes current practices and is not a certification of compliance with any specific standard. Certification status, if any, will be listed here once granted by an independent auditor.