Security
Yohanun's security model starts from an unusual place: access control is a core product feature, not a perimeter bolted on afterwards. This page describes what we do — and only what we actually do.
Our Approach
Most AI products enforce data boundaries by instructing the model. Yohanun enforces them in the platform: access decisions are made deterministically inside the retrieval query, before any model is called. The model cannot leak data it never received. This is the same mechanism we sell — and it protects every tenant on the platform.
1. Platform-Enforced Access Control
All data is scoped to a tenant at the API layer; cross-tenant access is structurally impossible through the query path, not merely forbidden by policy.
Within a tenant, labeled memory is walled by clearances, classification levels, ownership, and conflict-of-interest checks. Grants and revocations are ledger entries that take effect on the next request.
2. Audit Trails
Every gated read is recorded in an append-only audit log: who asked, what was returned, and under which authority. Agent actions and permission escalations are audited the same way.
Audit records are never rewritten; corrections are recorded as new entries.
3. Encryption & Infrastructure
All traffic is encrypted in transit with TLS. Our cloud infrastructure is hosted in the European Union.
For organizations with stricter requirements, Yohanun can be self-hosted entirely on your own infrastructure — your network, your disks, your keys. See deployment options.
4. Authentication & Keys
API access is authenticated with scoped API keys that can be rotated and revoked. Provider API keys you bring (OpenAI, Anthropic, etc.) are stored for your tenant only and never shared across tenants.
5. Incident Response
If a breach affecting personal data occurs, we will notify affected customers and the supervisory authority within 72 hours, as required by GDPR.
6. Compliance Posture
Yohanun is operated by GestureLoop Ltd., an Irish company, and is subject to GDPR and the Irish Data Protection Act. Data Processing Agreements are available for customers who require them.
We don't lead with certification badges. A certification attests that a process was followed, on a sampled basis, once a year; our enforcement is deterministic and self-evidencing on every request — access decided by the platform before generation, a per-read audit ledger, and full self-hosting. That's a stronger claim than a badge, and we invite your security team to challenge it directly: we'll walk through the architecture, the ledgers, and live enforcement in as much depth as they want.
Security Contact
For security inquiries or vulnerability reports:
Email: security@yohanun.com