Compliance
One transparent place for how yasync.com handles data: who processes what, where files live, and how they are protected.
Last updated: July 12, 2026
Who we are
The legal operator and GDPR controller are not yet verified or published; this is a public-launch blocker, not an assertion that another company operates yasync. The remaining fields are on the imprint checklist, and the development data description is in the privacy policy.
This page lists the third-party processors we use, our security practices, the jurisdiction our infrastructure is subject to, and the process for reporting illegal content. A reachable privacy contact is still required before public launch.
Subprocessors
We keep the list deliberately short. Providers marked as optional are not active in this development deployment and require their own documented activation gate.
| Provider | What it does for yasync.com | Safeguards / region |
|---|---|---|
Cloudflare, Inc. Cloudflare, Inc., USA ISO/IEC 27001ISO 27018ISO 27701SOC 2 Type II | R2 object storage for transfer files; global edge delivery of downloads and the download gate worker. Production storage residency will be documented before launch. | EU Standard Contractual Clauses / EU-U.S. Data Privacy Framework where certified; production region pending |
Stripe Payments Europe, Ltd. Stripe Payments Europe, Ltd., Ireland PCI DSS Level 1SOC 1SOC 2 Type IISOC 3 | Active only in Stripe test mode for protected checkout, test payment processing, invoices, subscription management, the billing portal, and storage meter events. Test mode cannot create real charges. | EU entity (Ireland) |
The hosting provider of the application server and database will be added to this list before public launch. Where a provider processes data outside the EU, transfers are covered by the EU Standard Contractual Clauses and, where the provider is certified, the EU-U.S. Data Privacy Framework.
Security practices
We would rather list what we actually do than decorate this page with borrowed badges. These are the measures in place today:
- All traffic is TLS-encrypted, and transfer files are encrypted at rest with provider server-side encryption.
- Customer files are never scanned for advertising or profiling and are never used to train machine-learning models — ours or anyone else’s. Any authorised abuse review is limited to the specifically reported transfer; staffing that workflow is a launch requirement.
- Account and transfer passwords are stored bcrypt-hashed; password attempts on protected transfers are rate-limited.
- Download URLs are HMAC-SHA256 signed with an expiry — links cannot be guessed, enumerated, or hotlinked.
- File names are never part of storage paths or URLs; storage keys are opaque identifiers.
- Password-protected transfers reveal nothing — not even file names — until the password is verified.
- Sending clients compute a whole-file CRC32 locally and store it with the transfer. The tested macOS desktop preview can verify a downloaded file against that value; the server does not claim to recompute CRC32 from the stored object.
- File downloads are served with strict no-sniff and forced-download headers, so uploaded content cannot execute as a web page.
- Expired transfers leave active storage through automated cleanup and are permanently purged from recovery storage within seven days.
- Advertising and ad scripts are disabled in development. A future free-tier ad rollout requires a certified consent platform plus a separate compliance-approval build flag; Pro is designed to remain ad-free.
- Production database backup provider, scope, restore drills, and retention remain launch requirements; the current persistent volume is development-only.
Certified infrastructure
Every external provider that touches customer data holds current, independently audited certifications — ISO/IEC 27001 and/or SOC 2 Type II, with PCI DSS Level 1 where card payments are involved. The certifications shown in the subprocessor table are issued to those providers, and their current status is published in each provider’s own trust center.
yasync.com itself has not yet completed an independent SOC 2 or ISO 27001 audit — we are a small team and would rather say that plainly than imply otherwise. What we build runs on certified infrastructure, and our own practices are listed above, in plain language.
Data portability
Your files are always exportable the obvious way: download them through your own transfer links at any time before expiry or deletion — in their original format, individually, or as a ZIP when the set is no larger than 64 GiB. A self-service account-data export and a reachable rights-request channel are still required before public launch. We will not charge export fees.
Infrastructure jurisdiction
Information on where our infrastructure runs and which jurisdiction it is subject to:
- Transfer files are stored in Cloudflare R2 object storage. Development buckets have no region guarantee; the production storage-residency configuration will be documented before launch. Cloudflare, Inc. is a US-headquartered company and is subject to US jurisdiction at the corporate level.
- Downloads are delivered through Cloudflare’s global edge network, gated by our own HMAC-token-checking worker — files are never publicly addressable.
- The application server and database jurisdiction will be documented here once the hosting provider is announced.
Measures against unlawful governmental access from third countries include EU Standard Contractual Clauses (and the EU-U.S. Data Privacy Framework where certified) with our providers, TLS encryption in transit, HMAC-signed expiring download URLs, strict access controls, and Art. 28 GDPR data processing agreements with every provider that touches customer data. Production storage residency will be added to this description once configured.
Reporting illegal content
yasync.com hosts content that senders upload — including anonymous senders. If you believe content distributed through this platform is illegal, use our report form — it is the current durable notice intake built toward Art. 16 DSA. To make a report useful for the future staffed process, please include:
- why you consider the content illegal,
- the exact transfer link,
- your name and email address (not required for content involving certain serious offences), and
- a statement that your report is made in good faith and is accurate to your knowledge.
The form confirms durable database receipt and returns a case ID. A staffed, diligent review queue, reporter and affected-sender decision notices, and redress handling remain public-launch requirements; this development deployment sends no acknowledgement or decision email. An authenticated kill switch can disable a transfer after an authorised decision, but no staffed decision workflow is operating yet. The future process must take down transfers found to violate the law or our terms and record the basis for that action.
Copyright (DMCA) notices, the counter-notice procedure, and our repeat-infringer policy are described in the takedown & abuse policy.
DSA points of contact
The EU Digital Services Act requires electronic points of contact for authorities (Art. 11) and users (Art. 12). The user report form is working, but the production authority contact and staffed communication process are not configured yet and remain launch blockers.
Development status
User notices: report form (no account required).
Authority contact: [reachable Art. 11 address and operating procedure required before launch].
Notices about illegal content should preferably be filed through the report form so the database record contains the fields a future staffed review needs. Submission returns a case ID; it does not promise that a review or action queue is currently staffed.
Supervisory authority
The competent authority depends on the verified controller and is not yet established:
[Competent supervisory authority required before launch]
Related pages
- Privacy policy — what we process, why, and your rights.
- Terms of service — the agreement for using yasync.com.
- Takedown & abuse policy — DMCA, DSA notice-and-action, repeat infringers.
- Report form — report illegal or infringing content.
- Imprint — company details and contact.