π Web | π± Mobile | π€ Admin
From 1 July 2023, Yokoy records administrative activities and accesses performed in Yokoy as non-relational data technical audit logs, which are stored in Google Cloud (GCP) and Splunk Cloud.
As Yokoy admin, you may request technical audit logs for your organization on a quarterly basis by reaching out to Yokoy Support and indicating your organization name, the data you want to access, and the date range.
Technical audit logs track changes related to:
organization
users (roles and permissions)
cost objects
legal entities (including employee policies, expense rules, tags, categories, VAT rates, mileage rates, per diems)
company cards (excluding card numbers)
These logs are stored for up to 60 days in short-term storage for technical debug operations, and up to 7-10 years in long-term storage, depending on country-specific financial regulations.
Yokoy uses strict measures to ensure confidentiality, integrity, and availability in accordance with the CIA triad principles, as well as authorization and accountability:
Confidentiality
Access to Yokoy technical audit logs stored in temporary locations (required by services that produce these logs) is restricted and based solely on a need-to-access basis. This ensures sensitive information is only accessible by authorized personnel, thereby safeguarding against unauthorized disclosure.Integrity
The integrity of technical audit logs is critical for maintaining reliable and accurate records. To uphold this, key engineering users are granted read-only access (via an auditable process attached to the Helpdesk function, which requires new access to be logged and approved) to long-term technical audit logs in both Splunk and GCP. This measure prevents unauthorized alterations, ensuring log data remains trustworthy and unmodified. It is not possible to alter the logs inside of Splunk or GCP Log Storage. Once the logs are shipped, they are all read-only by nature. Not even admin accounts have the capability of altering these logs.Authorization and Accountability
All access operations to technical audit logs are comprehensively logged. This provides a transparent audit trail of who accessed the logs and when, enhancing accountability and supporting effective authorization management.
In terms of compliance, Yokoy adheres to ISO 27001 certification. ISO 27001 certification training is mandatory for all staff with access to Yokoy and client data, including Splunk and GCP technical audit logs. Any violations are subject to review and lead to disciplinary action in line with company procedures. Policies related to storage and access are re-reviewed annually or as required by changes in technology, business practices, or applicable laws, to ensure ongoing relevance and effectiveness in protecting our technical audit log data.