Last Updated: September 2025
This document presents the highlights of OpenYield’s CyberSecurity Program.
All access to our production environment is via encrypted connections only. Our security certificates are issued and verified by third-party providers. For trading connections, access is via encrypted connections and whitelisted ip and port point-to-point connections.
Our public-facing systems are behind strict firewalls, and are layered through additional firewalls to provide defense in depth.
All user access is strongly password protected using NIST (https://www.nist.gov/) standards. Our password policy requires users to use unique passwords for every login, 2-factor authentication or biometrics where possible, use the provided 1Password password manager, and to never share passwords under any circumstances.
At the border, all traffic on our production networks (except for FIX connections) is routed through an AWS Load Balancer, Web Application Firewall and Intrusion Detection System (IDS) loaded with the latest Amazon rules and DDOS protection. Outgoing traffic is also covered as access to our NAT Gateway is via the IDS. Our FIX connections are doubly secured via port-to-port and IP whitelisting.
Within the platform, OpenYield runs a series of firewalls to layer our subnets and provide additional protection. Our software is layered to work with this network architecture. Core subnets and databases are not accessible from the internet at all. Core products, such as the ATS, the trading user interface and data services, are run on separate, firewalled off subnets and treated as separate independent product lines with their own secured storage, application access and databases.
The state of all servers and networks is monitored and alerted by AWS CloudWatch. On top of that, OpenYield Technology has built bespoke platform monitoring and alerting systems, as well as dashboards to observe real-time system performance. If any issue is detected, OpenYield is alerted in our Enterprise Slack platform.
All OpenYield Data is stored behind the AWS firewalls or on our secure Google Workspace. All data is archived for 7 years in Google Vault or Amazon S3. Because we have a small cross-functional team, we have limited role-based security for storage, but strong role-based security for systems.
Given the nature of the platform, we capture, process and store almost no Personally Identifiable Information and where names and emails are needed, they are stored in our siloed databases and secure file storage only.
When building systems, OpenYield designs the appropriate restrictions on any data dissemination directly into the product to meet contractual constraints, including anonymizing derived data before it even gets to our Data Services product to prevent any potential leakage.
OpenYield has a tested Incident Response plan. On an outage or issue, the technology and business team gather to identify, communicate, define, and rapidly rectify the incident. Once done, OpenYield documents the incident in an Incident Response and ensures any issues and mitigations are resolved and implemented quickly.
OpenYield requests, assesses and reviews the CyberSecurity Documentation from our vendors annually. We are primarily exposed to AWS, Google and RBC (our clearinghouse). Any new third-parties require a cyber assessment before we engage them.
On the technology side, OpenYield does use a limited amount of Open Source software. OpenYield practices dependency-limited software development, using only large, supported and proven secure open-source libraries. In some cases, such as on web applications, where stringent risk assessment is unworkable, OpenYield firewalls these servers away from the rest of the business and monitors CISA (https://www.cisa.gov/) vulnerabilities.
To ensure our secure environment:
OpenYield is cloud hosted in AWS and has none of its own routers, switches or servers needing independent physical security. Access to AWS resources is limited to authorized IT personnel, read-only passwords and encrypted connections for support purposes.
OpenYield does allow BYOD (Bring Your Own Device) access for staff devices, however we require (and train) staff to ensure these devices are secure, up-to-date, personal use only, have appropriate biometric security and can be remote wiped. Any OpenYield owned devices are similarly managed.
The biggest CyberSecurity risk to any organization is via their employees. All OpenYield staff are put through CyberSecurity training when they join and this is refreshed annually.
This training covers everything from phishing and malware, through device maintenance and security, access policies, regulatory requirements, allowable communications, data security, insider trading, AML and social networking constraints.
At least annually, OpenYield performs a review of our CyberSecurity, ensuring that
OpenYield Inc.
Copyright © 2025 OpenYield Inc.
All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, mechanical, electronic, photocopying, recording, or otherwise, without prior written permission of OpenYield, Inc. No licenses, express or implied, are granted with respect to any of the technology described in this document. OpenYield, Inc retains all intellectual property rights associated with the technology described in this document.
OPENYIELD INC MAKES NO WARRANTY OR REPRESENTATION, EITHER EXPRESS OR IMPLIED, WITH RESPECT TO THIS DOCUMENT, ITS QUALITY, ACCURACY, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. AS A RESULT, THIS DOCUMENT IS PROVIDED “AS IS,” AND YOU, THE READER, ARE ASSUMING THE ENTIRE RISK AS TO ITS QUALITY AND ACCURACY.
IN NO EVENT WILL OPENYIELD INC BE LIABLE FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES RESULTING FROM ANY DEFECT, ERROR OR INACCURACY IN THIS DOCUMENT, even if advised of the possibility of such damages.
Some jurisdictions do not allow the exclusion of implied warranties or liability, so the above exclusion may not apply to you.
Our modern bond marketplace enables you to serve clients with modern technology, 100% firm quotes and aggressive pricing. This is the bond market you’ve been waiting for.
Reach out to us today.
