We understand that security is your priority. It’s our priority too. That’s why we use advanced security technology to protect your Yammer network’s data.
ISO 27001 is the global standard in information security. Independent auditors have verified that Yammer meets the rigorous set of physical, logical, process, and management controls defined by the ISO 27001 standard.
Yammer is participating in the Microsoft Online Services Bug Bounty, which allows thousands of security researchers to test Yammer and help make our products even safer for users.
All connections to Yammer are secured via SSL/TLS. Any attempt to connect over HTTP is redirected to HTTPS.
If your servers support TLS encrypted email, any data sent from Yammer by email will be delivered using encrypted transport.
Yammer is built according to secure development best practices with security reviews incorporated throughout the design, prototyping and deployment process.
We classify and treat all data as confidential, using inbound and outbound low-level logical firewalls to ensure that data cannot be leaked between Yammer networks. Sensitive production data is never migrated or used outside of the production network.
Yammer’s web application servers are physically and logically separated from servers that store customer data.
Yammer’s offsite SSAE16 SOC1 data center provides 24/7/365 video surveillance, biometric and pin-based locks, strict personnel access controls and detailed visitor entry logs.
We routinely run internal and external vulnerability scans and penetration tests and work with third-party firms for in-depth quarterly security reviews.
Your data is backed up multiple times a day and protected with strong encryption on disk. Backups are transferred off-site over SSH and properly deleted after six months.
Yammer supports SAML 1.1/2.0-based SSO on all web, desktop and mobile clients.
Set password policies for length, expiration and complexity to match your company password policies.
Session management tools let admins see the devices users are logged into, and log them out if needed. Admins can close open sessions for any users in their network by destroying OAuth tokens.
Restrict access to a specified IP range so that your network is only accessible in designated physical locations or through your organization’s VPN.