SECURITY & TRUST

How we protect your business.

Yoola SMS serves 840+ businesses across East Africa — including SACCOs, schools, churches, and enterprise customers who trust us with sensitive communications. Here's exactly how we keep your data safe.

Our Security Commitments

The specific technical measures we've implemented to protect your account, your credits, and your customer data.

Bcrypt Password Hashing

All passwords are hashed with bcrypt (cost 12). Even we can't see your password. Legacy SHA-1 hashes are auto-migrated to bcrypt on next login.

Cryptographic OTP

One-time passwords are generated using cryptographic random_int() (not predictable rand()), expire after 5 minutes, and are single-use with a 5-attempt lockout.

Login Rate Limiting

5 failed login attempts triggers a 30-minute account lockout. Prevents credential stuffing and brute-force attacks.

Session Security

Sessions are regenerated on login. Changing your password immediately invalidates all other active sessions. Session IDs are HTTPOnly and Secure.

SQL Injection Protected

100% of database queries use prepared statements with parameter binding. Zero string concatenation in SQL. Regularly audited by our team.

API Rate Limiting

Every API key is limited to 30 requests per minute and a configurable daily SMS cap. Prevents abuse and protects your credits from runaway integrations.

Real-time Anomaly Alerts

Any campaign over 5,000 SMS triggers an instant alert to our security team. Unusual activity is investigated within minutes, not days.

Full Audit Trail

Every SMS, credit change, login, and admin action is logged with timestamp, IP address, and user ID. We can reconstruct any event on request.

HTTPS Everywhere

All traffic to yoolasms.com and our API endpoints is encrypted with TLS 1.2+. HTTP requests are 301-redirected to HTTPS.

Data Protection & Compliance

We take Uganda's Data Protection & Privacy Act seriously. Here's what that means for you.

1

Uganda Data Protection Act Compliance

We handle personal data (phone numbers, message content, account information) in accordance with Uganda's Data Protection and Privacy Act, 2019. We only process data for the purposes you've authorized.

2

Data Retention

Message content is retained for delivery reporting and audit purposes for up to 90 days by default. Account data is retained while your account is active. Deletion requests are honored within 30 days.

3

Data Location

Your data is stored on servers with our infrastructure provider. We do not sell, rent, or share your customer contact lists with any third party under any circumstances.

4

Sub-processors

We use Africa's Talking as our primary SMS delivery partner. All payment processing is handled by licensed providers (Flutterwave, mobile money operators). We work only with reputable, compliant partners.

5

Enterprise Data Processing Agreement

Banks, financial institutions, and enterprise customers can request a signed Data Processing Agreement (DPA) as part of vendor onboarding. Contact us at hello@yoolasms.com to request one.

6

Real Time Update

We publish real-time uptime and incident data at status.yoolasms.com. Uptime percentages are calculated from actual measurements, not marketing claims

Vulnerability Disclosure Program

We welcome and reward security researchers who help us find and fix vulnerabilities responsibly. Here's what qualifies and what we pay.

Severity Examples Reward
🔴 Critical Remote code execution · Full database access · Authentication bypass allowing mass account takeover · SMS credit theft at scale UGX 150,000
🟠 High Individual account takeover · Admin panel access · SMS spoofing · Significant privilege escalation UGX 60,000
🟡 Medium Sensitive information disclosure · Credit/balance manipulation · IDOR with real impact · Stored XSS in customer areas UGX 25,000
🟢 Low Reflected XSS with limited impact · CSRF on non-critical actions · Verbose error messages leaking system info UGX 10,000

All reporters receive public credit in our Hall of Fame (with your permission). Exceptional reports may exceed these tiers at our discretion. Full rules and exclusions in our Disclosure Policy.

Found something?

Report vulnerabilities responsibly to our security team. Please include steps to reproduce, potential impact, and any proof-of-concept code. We respond within 3 business days.

security@yoolasms.com
By reporting, you agree to our Vulnerability Disclosure Policy.

🏆 Security Researcher Hall of Fame

Thank you to the researchers who have helped make Yoola SMS more secure.

The Hall of Fame is waiting for its first entry.
Be the first researcher to responsibly disclose a vulnerability — you'll be permanently credited here.

Other Security Contacts

Security reports: security@yoolasms.com
Enterprise / DPA requests: hello@yoolasms.com
Machine-readable policy: /.well-known/security.txt
Full disclosure policy: /vulnerability-disclosure