// Trust & Security Report

    Yellow.ai (Bitonic Technology Labs Inc) logo

    Yellow.ai (Bitonic Technology Labs Inc)

    Agentic AI Platform for Customer Experience (CX) and Employee Experience (EX) automation

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II — SOC 2 Type II Compliant

    Verify on yellow.ai
    ISO/IEC 27001:2022
    HELD

    ISO 27001 — ISO/IEC 27001:2022 Certification

    Verify on yellow.ai
    ISO/IEC 27701:2019
    HELD

    ISO 27701 — ISO/IEC 27701:2019 Certification

    Verify on yellow.ai
    HIPAA
    HELD

    HIPAA — Health Insurance Portability and Accountability Act

    Verify on yellow.ai
    PCI-DSS v4.0.1
    HELD

    PCI-DSS V 4.0.1 — Compliant as a Service Provider*

    Verify on yellow.ai
    ISO/IEC 27018:2019
    HELD

    Yellow.ai is ISO 27001:2013 and ISO 27018:2019 certified regarding the security of Information management.

    Verify on yellow.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US, EU, Singapore, India, Indonesia, UAE. DPA confirms primary processing in US and India. EEA customers' data stored and processed in EEA. GDPR transfers via Data Privacy Framework or EU SCCs (fallback).

    The DPA (Section 2.2) restricts processing to purposes set forth in the Agreement and explicitly prohibits combining customer Personal Data with data from other parties (Section 2.5). No clause authorizes Yellow.ai to use customer data for training its own AI models. However, for GenAI Services, the privacy policy and ToS disclose that 'the Services may send applicable portions of the Customer content, including Customer End User Data in an anonymised form or as-is based on its requirements, to other applications or websites, including to third-party AI providers which are authorized by the Customer.' Yellow.ai states it is 'not responsible for Customer content after it has been provided to a third-party AI provider.' Customers should request the current sub-processor list to understand which LLM providers receive their data.

    // Security controls

    Encryption in transit

    TLS/SSL 256-bit (HTTPS) for all data in transit

    yellow.ai

    Credential storage

    Credentials encrypted using salted hash (SHA-256)

    yellow.ai

    Key management

    Keys maintained in Vaults, recycled every quarter

    yellow.ai

    Penetration testing

    Annual third-party penetration tests: 'Every year, we engage third-party security experts to perform detailed penetration tests on the chatbot platform.'

    yellow.ai

    Vulnerability scanning

    Continuous scanning with third-party security tools

    yellow.ai

    Bug bounty / VDP

    Vulnerability Disclosure Program (VDP) via HackerOne embedded form. No monetary rewards. Scope limited to cloud.yellow.ai. 3-5 business day acknowledgment SLA.

    yellow.ai

    SSO and authentication

    Google SSO, Microsoft SSO, ADFS, Azure AD at platform level; AD, LDAP, SAML, OAuth2 at bot level

    yellow.ai

    Infrastructure

    Virtual Private Cloud (VPC) with access control lists; N+1 availability zone redundancy across all data center regions

    yellow.ai

    Data hosting

    US, EU, Singapore, India, Indonesia, UAE

    yellow.ai

    GDPR / DPO

    Dedicated Data Protection Officer reachable at dpo@yellow.ai. DPA available at yellow.ai/dpa. EEA transfers via Data Privacy Framework and EU SCCs.

    yellow.ai

    // Products & data scope

    Nexus Agentic AI PlatformAI Agent Builder / Conversational AI Platform

    data: Enterprise customer and end-user conversation data, integration data from 150+ connectors (Salesforce, Zendesk, Genesys, etc.). Data governed by enterprise DPA. SOC 2 Type II and ISO 27001 apply.

    Core platform for building, testing, and deploying AI agents via natural language. Multi-LLM architecture supporting 15+ models. Customer retains control over which LLM providers receive data.

    Nexus Vox (Voice AI)Enterprise Voice AI

    data: Voice interaction data, call transcripts, real-time audio processed in the same infrastructure. PCI-DSS v4.0.1 compliance applicable for payment-related voice flows.

    Described as 'the first enterprise Voice AI built as One System.' HIPAA compliance claimed, making it suitable for healthcare voice automation.

    Agent AssistEmployee Experience (EX) AI Copilot

    data: Internal employee queries, HR and IT knowledge base data. Same DPA and SOC 2 scope as main platform.

    Employee-facing product distinct from customer-facing CX suite. Integrates with internal enterprise systems.

    GenAI Services (within platform)Generative AI features

    data: Customer content and end-user data forwarded to third-party AI providers in anonymized or as-is form per customer authorization. Yellow.ai disclaims responsibility once data leaves its environment.

    Critical risk for regulated industries: downstream LLM providers' data handling is governed by those providers' own terms. Customers must authorize specific AI providers and review sub-processor list.

    // What to watch

    • ISO 27001 version discrepancy: security page claims ISO/IEC 27001:2022 while privacy policy states ISO 27001:2013. Similarly, security page lists ISO 27701:2019 while privacy policy states ISO 27018:2019. Privacy policy likely has documentation lag. Recommend requesting current certificates to confirm exact versions held.
    • GenAI Services data forwarding: customer content (including end-user PII) can be sent to third-party LLM providers 'in anonymised form or as-is.' Yellow.ai explicitly disclaims responsibility once data leaves its environment. Healthcare and financial services customers must vet the sub-processor LLM list.
    • HIPAA attestation, not formal certification: HIPAA is a US regulatory compliance attestation, not a third-party certificate. No BAA link is publicly available. Healthcare customers should request and execute a BAA before deployment.
    • VDP only, no paid bug bounty: Yellow.ai operates a VDP via HackerOne with no monetary rewards. This is a lower incentive than a full bug bounty, though HackerOne platform management is a positive signal.
    • PCI-DSS qualified as 'Service Provider' with asterisk on security page: customers handling payment card data should request the Attestation of Compliance (AoC) to confirm scope.

    // At a glance

    Pricing model

    Enterprise / custom pricing. Demo required. No public self-serve pricing. Sales-led motion targeting 1300+ enterprise accounts.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Yellow.ai (Bitonic Technology Labs Inc)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    yellow.ai

    > Browse all vendor trust reports