Home / Legal & Trust Center

Legal & Trust Center

Privacy, Terms, and Security — in one place.

Everything our procurement, security, and legal partners need to evaluate YANA Careers. Maryland governing law. GDPR-aware. SOC 2 roadmap in progress. DPAs and NDAs available on request.

Entity: YANA Careers LLC · Maryland HQ: Washington, DC Last review: 2026-05-13 Version: v1.0

DPA & NDA on request

Privacy Policy

Version v1.0 Effective 2026-05-13 Jurisdiction Maryland, USA

YANA Careers LLC ("YANA," "we," "us") builds the workforce operating system for clinical research. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and the choices you have.

We've written this in plain English first, legal English second. If anything here is unclear, write to privacy@yanacareers.com — a human will respond.

Overview

This Policy applies to information we collect through yanacareers.com and our product subdomains — learn, sim, verify, talent, and app — as well as through marketing communications, events, partnerships, and direct interactions with our team.

It does not apply to third-party websites we link to. It also does not apply to information our enterprise customers (sponsors, CROs, sites) collect about their own employees or candidates — those data flows are governed by separate Data Processing Agreements (DPAs).

Who we are

YANA Careers LLC is a Maryland limited liability company with operations based in Washington, DC. For the purposes of GDPR and similar laws, YANA Careers LLC is the data controller for personal information collected through our consumer-facing services.

For enterprise engagements where we process personal information on behalf of a sponsor, CRO, or site, YANA Careers LLC acts as a data processor under a separate DPA.

Information we collect

We collect information in the following categories. Not every category applies to every user — what we collect depends on which services you use.

Identity & contact data. Name, work email, phone number, organization, professional role, country, and other contact details you provide.
Career & professional data. Your background, certifications, simulation performance scores, Competency Passport entries, employment history, and career goals — provided by you or generated through your use of YANA Academy, Sim Lab, or Verified.
Communications data. The contents of emails, contact form submissions, scheduling requests, and conversations with our team.
Technical & usage data. IP address, device type, browser type, operating system, pages visited, referring URLs, timestamps, and similar diagnostic information.
Marketing & preference data. Newsletter subscriptions, event registrations, content preferences, communication consents, and opt-outs.
Payment data. For paid services, we collect billing details through our payment processor (Stripe). We do not store full payment card numbers on our systems.

Sensitive data

We do not intentionally collect categories of data classified as "sensitive" under GDPR (Article 9) — race, ethnicity, religious beliefs, health, genetic data, biometric data, sexual orientation. If you voluntarily share such information in a free-text field (for example, a message describing a health condition), we treat it as confidential and limit access to authorized personnel only.

How we use information

We use personal information for the following purposes, each with a clear legal basis under GDPR:

Provide our services — fulfill enrollments, deliver simulations, issue Competency Passports, facilitate placements. Legal basis: contract performance.
Communicate with you — respond to inquiries, send service notifications, share program updates. Legal basis: legitimate interests.
Marketing — newsletter delivery, event invitations, relevant content. Legal basis: consent (newsletter) or legitimate interests (existing customers). Always opt-out available.
Improve our services — analyze usage patterns, debug issues, develop new features. Legal basis: legitimate interests.
Comply with legal obligations — respond to lawful requests, maintain records as required by law, defend legal claims. Legal basis: legal obligation.
Protect our services and users — detect fraud, prevent abuse, maintain security. Legal basis: legitimate interests.

How we share information

We do not sell personal information. We share information only in the following limited circumstances:

With service providers (subprocessors) who help us operate — hosting, email delivery, payments, analytics. Each subprocessor is bound by contractual confidentiality and data protection obligations. See the full list in Section 06.
With your explicit consent — for example, when you authorize us to share your Competency Passport with a specific employer through YANA Talent Cloud.
For legal compliance — in response to valid legal process (subpoenas, court orders) or where required by applicable law.
In connection with a business transfer — if YANA is acquired or merged, personal information may transfer to the acquiring entity, subject to this Policy.
To protect our rights and safety — to investigate fraud, enforce our Terms, or respond to credible threats to safety.

Subprocessors

The following third parties process personal information on our behalf. Each maintains its own security and compliance posture; we have reviewed and contractually bound each to data protection obligations consistent with this Policy.

Subprocessor	Purpose	Location	Compliance
Supabase	Database, authentication, storage	USA	`SOC 2 Type II`
Cloudflare	CDN, DDoS protection, DNS	Global	`SOC 2, ISO 27001`
Stripe	Payment processing	USA	`PCI DSS Level 1`
Google Workspace	Email, productivity	USA	`SOC 2, ISO 27001`
Anthropic	AI model inference (server-side)	USA	`SOC 2 Type II`
Beehiiv	Newsletter delivery	USA	Privacy Shield-aligned
Calendly	Scheduling	USA	`SOC 2 Type II`
HubSpot	CRM, contact forms	USA, EU	`SOC 2, ISO 27001`
Make.com	Workflow automation	EU	GDPR-aligned
Vimeo	Video hosting	USA	`SOC 2`

Our subprocessor list is current as of the effective date of this Policy and may be updated. Material changes will be communicated through this page or via direct notice to enterprise customers under DPA.

International data transfers

YANA is headquartered in the United States. Personal information we collect may be transferred to, processed in, and stored in the US and other countries where we or our subprocessors operate.

For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented where necessary by additional safeguards consistent with the Schrems II decision and EDPB guidance.

Data retention

We retain personal information only as long as necessary to fulfill the purposes described in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements.

Account & service data — retained for the duration of your relationship with YANA, plus a reasonable period thereafter (typically 24 months) for legal and operational purposes.
Competency Passport credentials — retained for the lifetime of the credential, unless you request deletion (see Section 09). Verification URLs remain active to support employer verification.
Marketing communications data — retained until you unsubscribe or withdraw consent, plus suppression list retention to honor your opt-out.
Financial & tax records — retained for the period required by applicable tax and accounting law (typically 7 years in the US).
Logs & technical data — typically retained for 90 days, longer if required for security investigations.

Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Access — request a copy of the personal information we hold about you.
Correction — request that we correct inaccurate or incomplete information.
Deletion — request that we delete your personal information, subject to legal retention requirements.
Restriction — request that we restrict processing in certain circumstances.
Portability — receive your information in a structured, machine-readable format.
Objection — object to processing based on our legitimate interests, including for direct marketing.
Withdraw consent — where processing is based on consent, withdraw that consent at any time.
Lodge a complaint — with your local data protection authority. For EEA residents: the supervisory authority in your member state.

To exercise any of these rights, contact privacy@yanacareers.com. We will respond within 30 days, or as required by applicable law.

California residents (CCPA / CPRA)

California residents have additional specific rights including the right to know what categories of personal information are collected, the right to delete, the right to correct, the right to opt out of "sale" or "sharing" (we do not sell or share for cross-context behavioral advertising), and the right not to be discriminated against for exercising these rights.

Cookies & similar technologies

We use cookies and similar technologies in three categories:

Essential cookies — required for the site to function. Cannot be turned off.
Analytics cookies — help us understand how visitors use the site (Google Analytics 4, Microsoft Clarity). Used for service improvement.
Marketing cookies — set only with your explicit consent, used to measure the effectiveness of marketing activities.

You can manage cookie preferences through the cookie banner on first visit or through your browser settings. Disabling cookies may affect the functionality of some features.

Children's privacy

YANA's services are not directed to children. We do not knowingly collect personal information from anyone under the age of 16 (or under 13 for users in the United States). If we learn that we have collected such information without verifiable parental consent, we will delete it.

Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated by posting the updated Policy on this page with a new "Effective" date and, where appropriate, by direct notice (email or in-product notification).

Your continued use of our services after a change takes effect constitutes acceptance of the revised Policy.

Contact us

For privacy questions, requests to exercise rights, or to escalate a concern:

Privacy: privacy@yanacareers.com
DPA & enterprise: partnerships@yanacareers.com
Mailing address: YANA Careers LLC, Washington, DC, United States

Need a Data Processing Agreement? Enterprise customers receive a DPA upon engagement. Pre-engagement reviews available on request.

Request a DPA →

Terms of Service

Version v1.0 Effective 2026-05-13 Governing law Maryland, USA

These Terms govern your use of YANA Careers' websites, products, and services. By accessing or using our services, you agree to these Terms.

If you're engaging with us under a separate enterprise agreement (MSA, SOW, or DPA), that agreement controls over any conflict with these Terms. See Section 13.

Acceptance of these Terms

By accessing or using yanacareers.com or any product subdomain (collectively, the "Services"), creating an account, enrolling in a program, or otherwise interacting with our Services, you confirm that you have read, understood, and agreed to these Terms.

If you do not agree, do not use the Services.

Definitions

YANA, we, us, our

YANA Careers LLC, a Maryland limited liability company.

User, you, your

The individual or organization accessing or using the Services.

Customer

An organization (sponsor, CRO, site, partner) that engages YANA under a commercial agreement.

Services

YANA's websites, applications, products, programs, and related offerings — including Academy, Sim Lab, Verified, Talent Cloud, and AI.

Content

Text, images, videos, simulations, credentials, and other materials made available through the Services.

User Content

Content that Users submit, post, or transmit through the Services.

Eligibility & accounts

You must be at least 18 years old and legally able to enter into a binding contract to use the Services. By using the Services, you represent that you meet these requirements.

If you create an account, you agree to:

Provide accurate, current, and complete information.
Maintain the security of your account credentials. You are responsible for all activity on your account.
Notify us promptly at security@yanacareers.com of any unauthorized access.
Use one account per person — accounts are not transferable.

Our Services

YANA provides workforce infrastructure for clinical research — training, competency verification, placement, and related services. Specific features, deliverables, and outcomes are described on the product pages and in any applicable enrollment agreement, SOW, or program documentation.

We do not guarantee employment outcomes. While our placement engagements have a documented 89% hire rate within 90 days of program completion (as of the date of these Terms), individual results vary based on background, market conditions, and effort.

We may modify, suspend, or discontinue any aspect of the Services at any time with reasonable notice where the change is material.

Payments & refunds

Paid Services are billed through our payment processor (Stripe). By making a purchase, you authorize us to charge the payment method you provide.

Subscriptions renew automatically until cancelled. You can cancel at any time through your account or by contacting billing@yanacareers.com.
One-time fees (cohort enrollments, placement fees) are due as specified in the enrollment agreement or SOW.
Refunds are governed by the specific program's enrollment agreement. Where no agreement specifies otherwise, all fees are non-refundable once services have begun.
Taxes may apply based on your location. Where applicable, taxes are added to the listed price.
Failed payments may result in suspension of access until the account is current.

Intellectual property

All Content provided through the Services — including curriculum, simulations, methodologies, the Competency Passport framework, brand marks, and software — is owned by YANA or its licensors and is protected by intellectual property laws.

We grant you a limited, non-exclusive, non-transferable, revocable license to access and use the Services and Content for your personal or internal business use, in accordance with these Terms.

You may not:

Copy, reproduce, distribute, or publicly display Content beyond the limits of fair use, without our written consent.
Reverse engineer, decompile, or attempt to extract source code from our software.
Use our brand marks, trade names, or logos without explicit written permission.
Resell, sublicense, or commercially exploit any aspect of the Services.

You retain ownership of your User Content. By submitting User Content, you grant YANA a worldwide, royalty-free license to use, display, and process that content as necessary to operate the Services.

Acceptable use

You agree not to use the Services to:

Violate any applicable law or regulation.
Misrepresent your identity, credentials, or affiliation.
Falsify simulation results or attempt to obtain a Competency Passport credential through fraud.
Harass, defame, or harm others.
Upload malicious code, viruses, or harmful content.
Attempt to gain unauthorized access to the Services, accounts, or systems.
Scrape, harvest, or otherwise extract data from the Services without our written consent.
Interfere with the operation of the Services or the experience of other users.

We may suspend or terminate access without notice for violations.

Disclaimers

THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE," WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND UNINTERRUPTED OR ERROR-FREE OPERATION.

While we work to provide accurate and current content, we do not warrant that the Services will meet your specific requirements, that placement outcomes will occur within a specific timeframe, or that any specific employer will hire you.

Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, YANA AND ITS OFFICERS, EMPLOYEES, AGENTS, AND AFFILIATES WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS, REVENUES, DATA, OR GOODWILL, ARISING OUT OF OR IN CONNECTION WITH YOUR USE OF THE SERVICES.

OUR TOTAL CUMULATIVE LIABILITY FOR ANY CLAIM ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICES WILL NOT EXCEED THE GREATER OF (A) THE AMOUNT YOU PAID TO YANA IN THE 12 MONTHS PRECEDING THE CLAIM, OR (B) ONE HUNDRED US DOLLARS ($100).

Some jurisdictions do not allow the exclusion or limitation of certain damages — these limitations may not fully apply to you.

Indemnification

You agree to indemnify, defend, and hold harmless YANA from and against any claims, damages, losses, liabilities, and expenses (including reasonable attorneys' fees) arising out of or related to: (a) your use of the Services in violation of these Terms; (b) your User Content; or (c) your violation of any third-party right.

Termination

You may stop using the Services at any time. We may suspend or terminate your access to the Services at any time, with or without notice, for any reason, including violation of these Terms.

Upon termination, your right to use the Services ceases. Provisions that by their nature should survive (intellectual property, disclaimers, limitations of liability, indemnification, governing law) will survive termination.

If you have completed a YANA Verified program and earned a Competency Passport, your earned credentials remain valid post-termination unless revoked for fraud or other material cause.

Governing law & disputes

These Terms are governed by the laws of the State of Maryland, USA, without regard to its conflict of laws principles.

Informal resolution first. Before filing any formal claim, you agree to contact us at legal@yanacareers.com and attempt to resolve the matter informally for at least 30 days.

Arbitration. Any dispute not resolved informally will be submitted to binding arbitration administered by JAMS in accordance with its Streamlined Arbitration Rules. Arbitration will take place in Maryland, USA. Each party will bear its own costs.

Class action waiver. You agree to bring claims only on an individual basis. You waive the right to participate in any class or collective action.

Exception. Either party may seek injunctive or equitable relief in a court of competent jurisdiction for matters involving intellectual property, confidentiality, or unauthorized access.

Enterprise terms

For Hiring Teams, CROs, Sites, and Partners

For Customers engaging YANA under a separate Master Services Agreement (MSA), Statement of Work (SOW), Data Processing Agreement (DPA), or other commercial contract, that agreement governs the relationship and controls over any conflict with these Terms.

Where the enterprise agreement is silent on a particular matter, these Terms fill the gap. Enterprise customers receive priority support, dedicated account management, and contractual SLAs as documented in their specific agreement.

If you would like to engage YANA under enterprise terms, contact partnerships@yanacareers.com.

Modifications to these Terms

We may revise these Terms from time to time. For material changes affecting your rights or obligations, we will provide at least 30 days' notice by email or in-product notification before the changes take effect.

Your continued use of the Services after the effective date constitutes acceptance of the revised Terms. If you do not agree to a material change, you may terminate your use of the Services.

General

Entire agreement. These Terms (together with any enterprise agreement and our Privacy Policy) constitute the entire agreement between you and YANA regarding the Services.
Severability. If any provision is held unenforceable, the remaining provisions will continue in full effect.
No waiver. Our failure to enforce any provision does not waive our right to do so later.
Assignment. You may not assign these Terms without our consent. We may assign these Terms in connection with a merger, acquisition, or sale of assets.
Notices. Notices to YANA should be sent to legal@yanacareers.com. Notices to you may be sent to the email associated with your account.

Engaging us as an enterprise customer? We have MSA, SOW, and DPA templates ready. Standard procurement reviews clear in 1–2 weeks.

Start the conversation →

Security practices

Version v1.0 Effective 2026-05-13 Next review 2026-11-13

YANA Careers operates infrastructure that handles sensitive workforce and career data for clinical research professionals and the sponsors, CROs, and sites that hire them. We take that responsibility seriously.

This page documents our current security posture and our roadmap. If you need a deeper review for procurement — security questionnaire response, SOC 2 reports from our subprocessors, or a custom DPA — contact security@yanacareers.com.

Our commitment

Security at YANA is built around three principles:

Defense in depth. Multiple overlapping controls so no single failure exposes data.
Least privilege. Every system, every person, every integration gets only the access strictly required.
Transparent posture. We document what we do, where we use subprocessors, and where we're going next. Procurement teams should not have to guess.

Security pillars at a glance

Pillar 01

Encryption

TLS 1.2+ in transit · AES-256 at rest, managed by our hosting provider.

Pillar 02

Access

MFA available on all accounts · Row-Level Security on all database tables.

Pillar 03

Infrastructure

SOC 2 Type II hosting partners · isolated production environment.

Pillar 04

Application

No client-side API keys · Edge Function isolation for AI inference.

Pillar 05

Operations

Daily automated backups · 90-day log retention · documented runbooks.

Pillar 06

Response

Documented incident response · 72-hour breach notification for affected personal data.

Encryption

In transit. All traffic to and from YANA properties uses TLS 1.2 or higher with modern cipher suites. HTTP Strict Transport Security (HSTS) is enforced. Certificates are managed through Cloudflare.

At rest. Data stored in our primary database (Supabase) is encrypted at rest using AES-256. File storage uses the same encryption standard. Backup volumes are encrypted with separate keys.

Secrets management. Application secrets, API keys, and credentials are stored in encrypted secret stores. No production secrets are committed to source code or transmitted in client-side application bundles.

Access controls

Authentication. Multi-factor authentication (MFA) is available for all user accounts and required for all internal team accounts. Single Sign-On (SSO via SAML or OIDC) is on the roadmap for enterprise customers.

Authorization. Database-level Row-Level Security (RLS) is enforced on all tables containing personal data, so users can only access records they are authorized to see — even if the application layer is bypassed.

Internal access. Team access to production systems follows the principle of least privilege. Access is reviewed quarterly. Access to customer personal data outside of break/fix scenarios is logged.

Offboarding. When a team member departs, access is revoked across all systems within 24 hours. Shared credentials (where unavoidable) are rotated within 48 hours.

Infrastructure

YANA's production infrastructure is built on enterprise-grade providers with established compliance postures:

Layer	Provider	Compliance
Application hosting	Supabase (AWS-backed)	`SOC 2 Type II`
CDN & edge	Cloudflare	`SOC 2, ISO 27001`
DDoS protection	Cloudflare	Always-on, automatic
DNS	Cloudflare	`DNSSEC` where applicable
Payments	Stripe	`PCI DSS Level 1`
AI inference	Anthropic API	`SOC 2 Type II`
Email transport	Google Workspace	`SOC 2, ISO 27001`

Production isolation. Production environments are isolated from development and staging. Customer data is never used in non-production environments.

Network controls. Inbound network access to production systems is restricted to known ingress points. Outbound traffic is monitored.

Application security

Code review. All code changes are reviewed before being merged to production branches.
Dependency scanning. Automated dependency vulnerability scanning runs on every build. Known critical and high-severity vulnerabilities are remediated within 14 days.
Static analysis. Code is linted and scanned for common security patterns before release.
No client-side secrets. API keys, database credentials, and authentication tokens are never embedded in client-side application code.
Content Security Policy. CSP headers are configured to prevent injection of unauthorized scripts.
Penetration testing. Annual third-party penetration testing is planned beginning Q4 2026.

AI architecture

Architectural rule

All AI model calls route through server-side Edge Functions. No AI provider API keys are ever transmitted to or stored in client-side application code. This protects credentials, enables rate limiting, and ensures all AI-assisted operations are logged for audit.

YANA uses AI to support competency simulation scoring, content generation, and career intelligence. Specific architectural commitments:

AI inference happens exclusively through approved, contracted providers (currently Anthropic) — not on consumer chat interfaces.
Customer personal data sent to AI providers is governed by the provider's enterprise terms, including data retention and training exclusion clauses.
AI-generated content is reviewed by human operators before being treated as authoritative output (for example, Competency Passport scoring).
Customers under enterprise DPAs may opt out of any AI processing of their personnel data.

Operational security

Backups. Daily automated backups of production database with point-in-time recovery available for the past 7 days.
Disaster recovery. Documented runbooks for recovery scenarios. Target RPO: 24 hours. Target RTO: 8 business hours for critical services.
Logging. Application, authentication, and infrastructure logs are centralized and retained for 90 days minimum.
Monitoring. Uptime monitoring and performance metrics tracked continuously. Anomaly alerts route to on-call team.
Change management. Production changes go through code review, automated testing, and staged rollout.
Vendor management. Subprocessors are reviewed for compliance posture before onboarding and re-reviewed annually.

Incident response

YANA maintains a documented incident response process covering detection, containment, eradication, recovery, and post-incident review.

Detection. Monitoring, logging, and user reports feed our detection process.
Triage. Incidents are classified by severity. Critical incidents trigger immediate response.
Containment. Affected systems are isolated to prevent further impact.
Notification. For incidents involving unauthorized access to personal data, we notify affected users and regulators as required — within 72 hours for incidents meeting GDPR notification thresholds.
Post-incident review. Every significant incident gets a written review with documented remediation actions.

Compliance roadmap

We document current state and planned milestones transparently:

Achieved Q-IAOCR Trainer Certification #16167194 · Feb 2026

Current GDPR-aligned posture SCCs in place · DPA template ready

Current CCPA-aligned posture CA resident rights honored

Current HIPAA-aligned posture Not a covered entity · safeguards in place where adjacent

Current 21 CFR Part 11 alignment For curriculum & competency credentialing

Planned SOC 2 Type I report Target Q4 2026

Planned SOC 2 Type II report Target 2027

Planned Annual third-party penetration test Beginning Q4 2026

Planned Enterprise SSO (SAML / OIDC) Available on enterprise plans · 2026 H2

Responsible disclosure

We welcome reports from security researchers. If you believe you've found a vulnerability in YANA's services:

Email security@yanacareers.com with a description, reproduction steps, and any supporting evidence.
Give us reasonable time (typically 90 days) to investigate and remediate before publicly disclosing.
Do not access, modify, or delete data belonging to others. Do not disrupt our services.
Stay within the bounds of authorized testing — no social engineering, physical access attempts, or denial-of-service.

We will acknowledge your report within 5 business days and provide status updates as our investigation progresses. We do not currently operate a paid bug bounty but we recognize responsible reporters publicly (with permission).

Contact

Security vulnerabilities: security@yanacareers.com
Security questionnaires & reviews: security@yanacareers.com
Privacy questions: privacy@yanacareers.com
Enterprise & DPA: partnerships@yanacareers.com

Need a security questionnaire response? We respond to standard vendor security assessments (CAIQ, SIG Lite, custom) within 5 business days.

Submit a questionnaire →