Skip to main content

Trust and security

Real controls. Honest scope. Customer in charge.

Yrka is built on Supabase auth, organization scoping, row level security, role checks, private storage, and signed URLs — and we describe what's shipped, not what's promised.

Trust posture
Security controlsOperational
Organization-scoped row level security
Private storage with short-lived signed URLs
Service-role usage server-only and inventoried
Server-side AI provider keys with disabled-state refusals

Recent audit events

  • Payroll-prep export downloaded12m
  • Confidential document opened38m
  • Role updated · Avery T.2h

Generated layout — synthetic demo data.

What's in place

The controls Yrka has today

Shipped, observable, and described the way operators expect.

  • Auth and scoping

    Supabase auth, organization tenancy, role and permission checks, and RLS.

  • Private storage

    Employee documents stored privately with permissioned short-lived signed URLs.

  • Audit and logs

    Audit events for sensitive actions, structured logs, and Sentry monitoring when configured.

  • AI boundaries

    Provider keys server-side, prepared sources only, refusal states when providers are disabled.

  • Runbooks

    Deployment, migration, backup, restore-drill, and incident-response runbooks documented.

  • Customer responsibilities

    Legal, payroll, tax, HR, and compliance obligations stay with the customer — by design.

Review checklist

What a security-minded buyer should verify

Yrka's trust posture is strongest when the customer can connect public claims to the operating controls they will actually use.

Access and tenancy

Confirm how owner, admin, manager, and employee roles map to named permissions; review how organization scope, row-level security, and route checks prevent cross-account access.

Files and exports

Review private employee document storage, signed URL behavior, upload limits, export expectations, and who is allowed to view confidential records before rollout.

AI and source boundaries

Check which AI providers are enabled, which sources can be prepared for Resources chat, how citations appear, and where human review remains required before an AI-assisted output is used.

Operations and incident posture

Read the deployment, monitoring, backup, restore-drill, support, and incident-response runbooks so launch expectations match the controls currently in place.

Scope

What's included, what's intentionally out of scope

Yrka maps every public claim to a product source of truth.

Included

  • Supabase auth
  • Organization scoping
  • RLS
  • Role checks
  • Private file storage
  • Signed URLs
  • Audit events
  • Operations runbooks

Boundaries

  • SOC 2 report
  • ISO 27001 certification
  • HIPAA compliance
  • Payroll processor status
  • Formal uptime SLA

Security FAQ

Questions buyers ask before they trust a product

We answer security questions before they’re escalated. If something is missing, ask.

Does Yrka claim SOC 2, ISO 27001, or HIPAA?

Not at launch. The trust page lists the controls Yrka has today plus the items in flight before public launch — no certification claims are made without evidence.

How does the trial work?

Start with a 30-day card-required trial. Cancel anytime from the Stripe customer portal. Workspaces stay available for export or reactivation for 30 days after paid access ends.

Does Yrka process payroll or file taxes?

No. Yrka covers time tracking, scheduling, payroll-prep exports, and provider handoff. Customers stay in charge of payroll processing, tax filing, legal, and HR decisions.

What does mobile look like?

Responsive web and an installable PWA cover employee time entry, scheduling, resources, tasks, messages, and profile review. Employees see scoped offline read context plus queued supported writes with clear sync states.

Can we export our data?

Yes. Payroll-prep exports, schedule and time reports, and employee data exports are part of the core product. Customer data remains exportable for 30 days after paid access ends unless an earlier deletion is requested.

Trust the product before you adopt it.

Read the posture, ask the hard questions, and book a session if you want to dig deeper before a trial.

Yrka uses optional analytics on the public site to understand page interest. The authenticated app does not load GA4.