Security overview

Security frameworks

 

SOC2 Type I

LoyaltyLion has completed a SOC2 Type I audit as of 31 October 2021.

 

Infrastructure

 

System architecture

LoyaltyLion operates a cloud-based network within Amazon Web Services (AWS), which provides secure hosting of network and production systems.

Data centers

Our platform is hosted and managed with Amazon Web Services (AWS) secure data centers. These data centers have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 – Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

We make significant use of the services provided by AWS to increase privacy and network access throughout our system. More information on AWS security is available at AWS Services in Scope.

Penetration Testing & Vulnerability Scanning

LoyaltyLion uses security tools & partners to regularly scan for vulnerabilities. Additionally, vulnerabilities in third-party libraries and tools are monitored and software is patched or updated promptly when new issues are reported.

Our last penetration test was conducted August 2021 by Vumetric.

Firewall

Our services are protected by firewalls provided by AWS and not directly exposted to the Internet.

Corporate network

We run a zero-trust corporate network. There are no corporate resources or additional privileges from being on LoyaltyLion’s corporate network.

Mobile Device Management

We utilise Mobile Device Management systems for all computer and mobile assets owned by LoyaltyLion that are utilised by employees.

Subprocessors and key vendors

We audit our subprocessors and key vendors to ensure they maintain suitable security. Many of our vendors have SOC2 or similar. More on our subprocessors below.

 

Data

Data storage

LoyaltyLion data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and only available to the systems that require them.

Backups

We maintain secure encrypted backups of important data for up to 90 days. We do not retroactively remove deleted data from backups as we may need to restore it, if removed accidentally.

Backups are stored in two locations for redundancy purposes.

 

Authentication

Passwords

We store passwords in a form that cannot be retrieved.

User roles

We provide user roles with different permissions levels within the product. Admin, and user which limits visibility of Personally Identifiable Information (PII).

Single Sign-On

We use a centralised identity provider to maintain user access to all enterprise systems within the business. This enables LoyaltyLion to quickly grant and revoke access to key systems, and ensure the minimum required privileges are maintained for users.

 

Encryption

HTTPS

All LoyaltyLion web traffic is served over HTTPS.

Encryption

Our primary databases, including backups are fully encrypted at rest. In addition, data is encrypted in transit. We use industry standard encryption algorithms.

 

Policies

Policies

LoyaltyLion has a wide set of security policies covering a range of topics. Our policies are reviewed frequently, shared with, and accepted by employees.

Policies include:

  • Acceptable Use
  • Access Control
  • Backup and Restoration
  • Business Continuity and Disaster Recovery
  • Change Management
  • Corporate Ethics
  • Customer Support and SLA
  • Data Retention and Disposal
  • Incident Management
  • Information Classification
  • Information Security
  • Key Management and Cryptography
  • Mobile Device Management
  • Network Security
  • Personnel Security
  • Risk Assessment
  • Server Security
  • Software Development
  • Vendor Management
  • Vulnerability and Penetration Testing Management
  • Workstation and Mobile Device

Incident response

LoyaltyLion has appropriate policies and controls for responding to security events.

Security training

Employees are required to review and accept our policies. We track their acceptance on our Security Assurance Platform, Tugboat Logic.

Employee vetting

We conduct employee reference checks.

PCI compliance

All credit card payments made to LoyaltyLion are processed by our partner, Stripe. More information about Stripes security posture and PCI compliance can be found at at their Security page.

Disclosure

If you have any concerns or discover a security or privacy issue, please email us at privacy@loyaltylion.com and we will quickly investigate.

 

Privacy

Data Protection Officer

LoyaltyLion has appointed a professional Data Protection Officer, Mark Gracey GDPR, to ensure that it remains current with the data protection requirements of the business.

EU Data Representative

For our EU Data Subjects, we have appointed an EU Data Representative, DataRep. EU Data Subjects can submit enquiries to our EU Data Representative, here.

Data Protection Impact Assessment (DPIA)

LoyaltyLion has a DPIA that documents our handing of all your data, including personal data.

Register of Processing Activities

We maintain a register of processing activities from Processor and Controller perspectives.

Data Protection Addendums

We have acquired signed Data Protection Addendums with all of our sub-processors.

Personal data

Personal Data may include, but is not limited to:

  • First and last name
  • Contact information (e.g. email, billing address, shipping address, ‘phone number(s))
  • Suffix
  • Timezone (e.g. user preference or derived from contact information)
  • Geolocation of the customer (e.g city, country, timezone)
  • Date of birth
  • Purchase history including product description and values