Yoola SMS serves 840+ businesses across East Africa — including SACCOs, schools, churches, and enterprise customers who trust us with sensitive communications. Here's exactly how we keep your data safe.
The specific technical measures we've implemented to protect your account, your credits, and your customer data.
All passwords are hashed with bcrypt (cost 12). Even we can't see your password. Legacy SHA-1 hashes are auto-migrated to bcrypt on next login.
One-time passwords are generated using cryptographic random_int() (not predictable rand()), expire after 5 minutes, and are single-use with a 5-attempt lockout.
5 failed login attempts triggers a 30-minute account lockout. Prevents credential stuffing and brute-force attacks.
Sessions are regenerated on login. Changing your password immediately invalidates all other active sessions. Session IDs are HTTPOnly and Secure.
100% of database queries use prepared statements with parameter binding. Zero string concatenation in SQL. Regularly audited by our team.
Every API key is limited to 30 requests per minute and a configurable daily SMS cap. Prevents abuse and protects your credits from runaway integrations.
Any campaign over 5,000 SMS triggers an instant alert to our security team. Unusual activity is investigated within minutes, not days.
Every SMS, credit change, login, and admin action is logged with timestamp, IP address, and user ID. We can reconstruct any event on request.
All traffic to yoolasms.com and our API endpoints is encrypted with TLS 1.2+. HTTP requests are 301-redirected to HTTPS.
We take Uganda's Data Protection & Privacy Act seriously. Here's what that means for you.
We handle personal data (phone numbers, message content, account information) in accordance with Uganda's Data Protection and Privacy Act, 2019. We only process data for the purposes you've authorized.
Message content is retained for delivery reporting and audit purposes for up to 90 days by default. Account data is retained while your account is active. Deletion requests are honored within 30 days.
Your data is stored on servers with our infrastructure provider. We do not sell, rent, or share your customer contact lists with any third party under any circumstances.
We use Africa's Talking as our primary SMS delivery partner. All payment processing is handled by licensed providers (Flutterwave, mobile money operators). We work only with reputable, compliant partners.
Banks, financial institutions, and enterprise customers can request a signed Data Processing Agreement (DPA) as part of vendor onboarding. Contact us at hello@yoolasms.com to request one.
We publish real-time uptime and incident data at status.yoolasms.com. Uptime percentages are calculated from actual measurements, not marketing claims
We welcome and reward security researchers who help us find and fix vulnerabilities responsibly. Here's what qualifies and what we pay.
| Severity | Examples | Reward |
|---|---|---|
| 🔴 Critical | Remote code execution · Full database access · Authentication bypass allowing mass account takeover · SMS credit theft at scale | UGX 150,000 |
| 🟠 High | Individual account takeover · Admin panel access · SMS spoofing · Significant privilege escalation | UGX 60,000 |
| 🟡 Medium | Sensitive information disclosure · Credit/balance manipulation · IDOR with real impact · Stored XSS in customer areas | UGX 25,000 |
| 🟢 Low | Reflected XSS with limited impact · CSRF on non-critical actions · Verbose error messages leaking system info | UGX 10,000 |
All reporters receive public credit in our Hall of Fame (with your permission). Exceptional reports may exceed these tiers at our discretion. Full rules and exclusions in our Disclosure Policy.
Report vulnerabilities responsibly to our security team. Please include steps to reproduce, potential impact, and any proof-of-concept code. We respond within 3 business days.
security@yoolasms.comThank you to the researchers who have helped make Yoola SMS more secure.
The Hall of Fame is waiting for its first entry.
Be the first researcher to responsibly disclose a vulnerability — you'll be permanently credited here.
Security reports: security@yoolasms.com
Enterprise / DPA requests: hello@yoolasms.com
Machine-readable policy: /.well-known/security.txt
Full disclosure policy: /vulnerability-disclosure