// Trust & Security Report
Yellow.ai (Bitonic Technology Labs Inc)
Agentic AI Platform for Customer Experience (CX) and Employee Experience (EX) automation
Certifications held
6
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on yellow.ai“Yellow.ai is ISO 27001:2013 and ISO 27018:2019 certified regarding the security of Information management.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US, EU, Singapore, India, Indonesia, UAE. DPA confirms primary processing in US and India. EEA customers' data stored and processed in EEA. GDPR transfers via Data Privacy Framework or EU SCCs (fallback).
The DPA (Section 2.2) restricts processing to purposes set forth in the Agreement and explicitly prohibits combining customer Personal Data with data from other parties (Section 2.5). No clause authorizes Yellow.ai to use customer data for training its own AI models. However, for GenAI Services, the privacy policy and ToS disclose that 'the Services may send applicable portions of the Customer content, including Customer End User Data in an anonymised form or as-is based on its requirements, to other applications or websites, including to third-party AI providers which are authorized by the Customer.' Yellow.ai states it is 'not responsible for Customer content after it has been provided to a third-party AI provider.' Customers should request the current sub-processor list to understand which LLM providers receive their data.
// Security controls
Penetration testing
Annual third-party penetration tests: 'Every year, we engage third-party security experts to perform detailed penetration tests on the chatbot platform.'
yellow.aiBug bounty / VDP
Vulnerability Disclosure Program (VDP) via HackerOne embedded form. No monetary rewards. Scope limited to cloud.yellow.ai. 3-5 business day acknowledgment SLA.
yellow.aiSSO and authentication
Google SSO, Microsoft SSO, ADFS, Azure AD at platform level; AD, LDAP, SAML, OAuth2 at bot level
yellow.aiInfrastructure
Virtual Private Cloud (VPC) with access control lists; N+1 availability zone redundancy across all data center regions
yellow.aiGDPR / DPO
Dedicated Data Protection Officer reachable at dpo@yellow.ai. DPA available at yellow.ai/dpa. EEA transfers via Data Privacy Framework and EU SCCs.
yellow.ai// Products & data scope
data: Enterprise customer and end-user conversation data, integration data from 150+ connectors (Salesforce, Zendesk, Genesys, etc.). Data governed by enterprise DPA. SOC 2 Type II and ISO 27001 apply.
Core platform for building, testing, and deploying AI agents via natural language. Multi-LLM architecture supporting 15+ models. Customer retains control over which LLM providers receive data.
data: Voice interaction data, call transcripts, real-time audio processed in the same infrastructure. PCI-DSS v4.0.1 compliance applicable for payment-related voice flows.
Described as 'the first enterprise Voice AI built as One System.' HIPAA compliance claimed, making it suitable for healthcare voice automation.
data: Internal employee queries, HR and IT knowledge base data. Same DPA and SOC 2 scope as main platform.
Employee-facing product distinct from customer-facing CX suite. Integrates with internal enterprise systems.
data: Customer content and end-user data forwarded to third-party AI providers in anonymized or as-is form per customer authorization. Yellow.ai disclaims responsibility once data leaves its environment.
Critical risk for regulated industries: downstream LLM providers' data handling is governed by those providers' own terms. Customers must authorize specific AI providers and review sub-processor list.
// What to watch
- ISO 27001 version discrepancy: security page claims ISO/IEC 27001:2022 while privacy policy states ISO 27001:2013. Similarly, security page lists ISO 27701:2019 while privacy policy states ISO 27018:2019. Privacy policy likely has documentation lag. Recommend requesting current certificates to confirm exact versions held.
- GenAI Services data forwarding: customer content (including end-user PII) can be sent to third-party LLM providers 'in anonymised form or as-is.' Yellow.ai explicitly disclaims responsibility once data leaves its environment. Healthcare and financial services customers must vet the sub-processor LLM list.
- HIPAA attestation, not formal certification: HIPAA is a US regulatory compliance attestation, not a third-party certificate. No BAA link is publicly available. Healthcare customers should request and execute a BAA before deployment.
- VDP only, no paid bug bounty: Yellow.ai operates a VDP via HackerOne with no monetary rewards. This is a lower incentive than a full bug bounty, though HackerOne platform management is a positive signal.
- PCI-DSS qualified as 'Service Provider' with asterisk on security page: customers handling payment card data should request the Attestation of Compliance (AoC) to confirm scope.
// At a glance
Pricing model
Enterprise / custom pricing. Demo required. No public self-serve pricing. Sales-led motion targeting 1300+ enterprise accounts.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Yellow.ai (Bitonic Technology Labs Inc)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
yellow.ai