Yoummday Trust Center

Here we provide transparent and up-to-date information about our security, compliance, and data protection practices.
This portal is designed to give you easy access to certifications, policies, and documentation that demonstrate how we safeguard your data.
Thank you for trusting Yoummday — your security is our priority.

Overview

In our Trust Center you can find

Certifications

Yoummday holds the following certificates. They are externally audited regularly and maintained thoroughly over the course of a year.

ISO 27001:2022

Scope

Development, distribution, provision and operation of a technology platform for the delivery of customer service and sales services including the sites.

ISO 9001:2015

Scope

Development, distribution, provision and operation of a technology platform for the delivery of customer service and sales services including the sites.

PCI DSS v4.0.1

Scope

Our PCI DSS scope is aligned with customer environments and processes that were specifically defined in advance.

Eco Vadis – Bronze

The EcoVadis Bronze Medal recognizes that Yoummday performs within the top 35% of all companies assessed in sustainability, demonstrating solid performance across environmental, social, and ethical criteria. This rating highlights our continued commitment to responsible and transparent business practices.

Data Protection

We take the protection of your personal data seriously and apply rigorous safeguards to ensure it is handled securely and responsibly. This section provides an overview of our data protection practices, outlining how we collect, process, and safeguard information in full alignment with applicable regulations.

Technical and Organisational Measures
Managed Service

Our managed service is secured through comprehensive technical and organizational measures that safeguard your data while fully respecting all applicable legal and regulatory requirements.

Technical and Organisational Measures
Talents

Our Talents operate under strict technical and organizational measures that protect all handled data while ensuring full compliance with applicable legal and regulatory requirements.

List of Sub Processors

This provides a transparent overview of all authorized subprocessors we engage, including their roles and the safeguards in place to ensure full compliance with applicable data protection regulations.

GDPR compliant

yoummday processes personal data in full accordance with the EU General Data Protection Regulation (GDPR), implementing privacy‑by‑design principles, strict access controls, and robust organizational and technical measures to protect customer data. We are transparent about our data processing activities, honor data subject rights, and regularly assess our practices to maintain a high standard of data protection and regulatory compliance.

AI Act Ready

yoummday is committed to aligning its AI systems and services with the EU AI Act, including adherence to the phased transparency, safety, and accountability requirements defined for general-purpose and high‑risk AI systems. We proactively monitor regulatory updates and implementation timelines to ensure that our AI practices remain safe, ethical, and fully compliant as the EU framework evolves.

Security Documents

This chapter provides an overview of our core security documents, outlining the operational practices and controls that ensure the continuous protection of our platform and services.

Security Whitepaper

Our Security Whitepaper provides a comprehensive overview of all implemented security controls, offering full transparency into our technical IT Security measures.

Vulnerability Disclosure Policy (VDP)

Yoummday GmbH is committed to strong security across all systems and services. Our Vulnerability Disclosure Policy provides a clear and structured process for security researchers to responsibly report identified vulnerabilities.

The purpose of our VDP is to support responsible disclosure by defining straightforward guidelines for reporting, assessment, and remediation. This policy applies to all researchers who discover weaknesses in Yoummday GmbH’s publicly accessible systems and applications. The VDP covers only publicly accessible websites and IT systems owned or operated by Yoummday GmbH. It excludes internal systems, third-party services outside our control, and vulnerabilities that require physical access.

Click for Details

Reporting a Vulnerability

Email us at [email protected] using the reporting template provided below.

When reporting a vulnerability, please:

  • Do not exploit the vulnerability (e.g., download, alter, or delete data).
  • Do not attempt to access personal data or confidential information.
  • Do not perform attacks such as social engineering, (D)DoS, spam, brute force, or physical intrusion.

Provide sufficient detail to allow us to reproduce and understand the issue (URLs, steps, technical details).
Allow us reasonable time to investigate and remediate before public disclosure.

Reporting Template

Title / name of the vulnerability
Vulnerability type
Brief explanation (non-technical)
Affected system
Manufacturer
Product
Version / Model
Exploitation method (Remote / Local / Network / Physical)
Authentication requirement (Pre-auth / Guest / User / Admin)
Required user interaction
Technical details
Proof of concept
Proposed remediation
Author and contact details (or alias)
Consent for public acknowledgement

What You Can Expect From Us

When you report a vulnerability:

  • We will acknowledge your report and keep you informed of progress.
  • We will treat your submission confidentially and protect your personal information.
  • We will assess and remediate vulnerabilities as quickly as possible.

If desired, we will publicly credit you (name or alias) once the issue is resolved.
Your skills and contributions are valued equally — regardless of age, background, gender, or origin.

We do not offer monetary rewards at this time!

Qualified Vulnerabilities

Any reproducible security issue that may lead to unauthorized access, data exposure, or system compromise, such as:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Remote Code Execution (RCE)
  • Insecure Direct Object Reference
  • Information leakage
  • Unauthorized account or data access
  • Exploitable backdoors
  • Misconfigurations enabling unauthorized access

Non-Qualified Vulnerabilities

Issues outside the scope of VDP include:

  • Findings requiring physical access
  • Automated scanner outputs without explanation
  • Social engineering attempts
  • Denial-of-Service (DoS/DDoS) reports
  • Spam, bots, mass registration
  • Hazards or threats without an exploitable vulnerability

Use of Vulnerability Scanners

You may use vulnerability scanners as long as:

  • Scanning does not affect system availability.
  • Scans are not excessively invasive or high-volume.
  • You provide documentation for any findings.

Automated reports without analysis will not be recognized as qualified vulnerabilities.

Remediation Timelines

We aim to finalize vulnerability reports within 90 days of receipt.
Complex vulnerabilities may require additional time, but you will be updated accordingly.

Frequently Asked Questions (FAQ)

Can I share the vulnerability after reporting?
Only after the issue has been remediated and confirmed closed.

Our Appreciation

We sincerely thank all developers and security researchers who contribute to making our systems safer.
Unless otherwise requested, we publicly acknowledge your contribution (name or alias) once the vulnerability has been resolved.
Your partnership strengthens the security and trustworthiness of Yoummday GmbH—and we deeply appreciate it.

Security Reporters Hall of Fame

Whistleblowing

We provide a secure and anonymous whistleblowing tool that enables the confidential reporting of potential violations of our Code of Conduct or other compliance concerns. All submissions can be made anonymously and are handled with the utmost care to ensure integrity and protection for every reporter.

Whistleblowing Tool