Cybersecurity Policy
Effective Date: May 15, 2026 • Last Reviewed: May 15, 2026
This Cybersecurity Policy is published in compliance with New York Department of Financial Services Cybersecurity Regulation (23 NYCRR Part 500) and applicable provisions of the New York Insurance Law. It describes YellowBus's technical, administrative, and operational safeguards for protecting nonpublic information.
1. Scope and Applicability
This policy applies to YellowBus (operated by the company entity behind www.yllwbus.com), a lead generation marketplace for insurance products. YellowBus operates as a covered entity under NYDFS Reg. 500 to the extent it handles nonpublic information (NPI) of New York residents in connection with insurance products.
This policy governs all systems, personnel, and third-party service providers that access, process, or store nonpublic information on behalf of YellowBus.
2. Encryption Standards
2.1 Data in Transit
- All consumer-facing web traffic is encrypted using TLS 1.2 or higher (HTTPS enforced platform-wide via Render's edge infrastructure).
- API calls to third-party services (Stripe, NIPR, email providers) are made exclusively over TLS-encrypted HTTPS connections.
- Internal service-to-service communications use encrypted connections where technically feasible.
2.2 Data at Rest
- The production database (Neon PostgreSQL) is encrypted at rest using AES-256 encryption provided by the underlying cloud infrastructure.
- OAuth tokens and sensitive credentials stored in the database are encrypted with AES-256-GCM at the application layer, providing an additional layer of protection beyond infrastructure encryption.
- Backups are encrypted using the same standards as the primary database.
Reg. ref: 23 NYCRR § 500.15 (Encryption of Nonpublic Information)
3. Access Controls
3.1 Principle of Least Privilege
- Database access is restricted to the application service account. No developer or contractor has direct production database access except through audited administrative procedures.
- Admin panel access is protected by a unique, rotatable token (ADMIN_TOKEN environment variable). This token is stored only in the infrastructure environment configuration — not in code or version control.
- Agent portal access requires email + password authentication. Passwords are stored using bcrypt hashing (cost factor 12).
3.2 Multi-Factor Authentication
- Two-factor authentication (TOTP via RFC 6238-compliant authenticator apps) is available in the agent portal via the settings page.
- Admin access to infrastructure platforms (Render, Neon, GitHub) is protected by MFA on those platforms.
3.3 Third-Party Access
- Third-party service providers (Stripe, Polsia platform, NIPR) access only the minimum data necessary for their service function.
- API keys for third-party services are stored in environment variables, not in source code.
Reg. ref: 23 NYCRR § 500.07 (Access Privileges)
4. Vulnerability Management
- Application dependencies are reviewed and updated on a regular basis. Security advisories from npm are monitored via automated tooling.
- All SQL queries use parameterized statements to prevent SQL injection. The application uses an ORM/query builder pattern that defaults to parameterized queries.
- Input validation is enforced server-side on all consumer-facing and agent-facing form submissions.
- Sandbox child processes (if used for AI agent execution) are subject to allowlist-only environment variable construction — database credentials are explicitly blocked from agent process environments.
Reg. ref: 23 NYCRR § 500.05 (Penetration Testing and Vulnerability Assessments)
5. Incident Response Plan
5.1 Detection
Anomalous activity is detected through application error monitoring (Render log alerts), structured logging, and third-party service provider security alerts (Stripe Radar, Neon anomaly detection).
5.2 Classification
| Severity | Description | Response Time |
|---|
| Critical | Active breach of NPI, unauthorized database access, credential compromise | Immediate — within 1 hour |
| High | Service unavailability affecting consumer data integrity, suspected data exfiltration | Within 4 hours |
| Medium | Unauthorized access attempts, suspicious authentication patterns | Within 24 hours |
| Low | Routine security events, failed login attempts below threshold | Within 72 hours |
5.3 Containment and Remediation
- Isolate affected systems by revoking credentials and blocking access at the infrastructure level.
- Preserve logs and evidence before any remediation steps.
- Identify root cause and scope of the incident.
- Apply patches or configuration changes to contain the vulnerability.
- Monitor for recurrence after remediation.
- Conduct post-incident review and update controls as warranted.
5.4 Breach Notification
In the event of a cybersecurity event involving NPI of New York residents, YellowBus will notify:
- The New York Department of Financial Services within 72 hours of determining that a cybersecurity event has occurred, as required by 23 NYCRR § 500.17.
- Affected individuals as required by the SHIELD Act (N.Y. General Business Law § 899-aa) and applicable state breach notification laws — generally within 30–60 days depending on the state.
- Notification to affected consumers will be made via the email address on file.
Reg. ref: 23 NYCRR § 500.17 (Notices to the Superintendent); N.Y. Gen. Bus. Law § 899-aa (SHIELD Act)
6. Data Retention and Disposal
- Consumer lead data is retained for 2 years from the date of submission for compliance and legal purposes.
- Agent account data is retained for the duration of the agent relationship plus 5 years for financial recordkeeping compliance.
- Upon a valid CCPA or state law data deletion request, personal data is deleted within 45 days subject to legal retention obligations.
- Data in backups is purged in accordance with the primary database retention schedule.
- Disposal of records containing NPI uses secure deletion methods (database-level DELETE operations, not soft deletes that preserve data).
7. Third-Party Service Provider Security
YellowBus relies on the following third-party providers that process NPI. Each maintains its own security certifications:
- Neon (database hosting) — SOC 2 Type II certified, encryption at rest and in transit, automated backups.
- Render (application hosting) — SOC 2 Type II certified, encrypted secrets management, TLS termination.
- Stripe (payment processing) — PCI DSS Level 1 certified. YellowBus does not store payment card data.
- Polsia (email proxy, analytics) — Internal platform service. Data flows governed by the Polsia platform agreement.
Reg. ref: 23 NYCRR § 500.11 (Third-Party Service Provider Security Policy)
8. Personnel Security
- Access to production systems is limited to authorized personnel on a need-to-know basis.
- Contractors and vendors with access to NPI are subject to confidentiality obligations.
- Credentials are rotated upon personnel transitions and at least annually.
- Security awareness training on phishing and social engineering is conducted at onboarding.
9. Governance and Review
This policy is reviewed annually or following any material cybersecurity event. The Chief Information Security Officer (or designated equivalent) is responsible for maintaining this policy. Policy updates are reflected in the revision date above.
10. Contact
To report a security vulnerability or incident, contact: security@yllwbus.com
For privacy-related inquiries: privacy@yllwbus.com