Verified principles
- Authenticated accounts identify the owner of synced Memories.
- User-owned database records are protected by row-level ownership policies.
- Recordings and attachments use private storage and authenticated user paths.
- Provider and service-role secrets remain on the server.
- Active web work is saved locally before cloud synchronisation.
- Internal product and evaluation routes are protected outside approved development environments.
- Transport to the public website and synced services uses HTTPS.
Current maturity
The review environment is a functional beta. Broader release still requires stronger auditability, rate limiting, physical-device evidence, complete account deletion and continuing two-user isolation tests. Yerki does not claim a compliance certification or independent penetration test that has not been completed.
Responsible disclosure
Report a suspected vulnerability to security@yerki.app. Include the affected surface, steps to reproduce and potential impact. Do not include real user content, credentials or destructive proof.
Please allow reasonable time for investigation before public disclosure. Yerki does not currently offer a formal bug-bounty programme or guaranteed response time.