Security overview
Security frameworks
SOC2 Type I
LoyaltyLion’s last SOC2 Type I audit was completed on 31 March 2024
Infrastructure
System architecture
LoyaltyLion operates a cloud-based network within Amazon Web Services (AWS), which provides secure hosting of network and production systems.
Data centers
Our platform is hosted and managed with Amazon Web Services (AWS) secure data centers. These data centers have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 – Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
We make significant use of the services provided by AWS to increase privacy and network access throughout our system. More information on AWS security is available at AWS Services in Scope.
Penetration Testing & Vulnerability Scanning
LoyaltyLion uses security tools & partners to regularly scan for vulnerabilities. Additionally, vulnerabilities in third-party libraries and tools are monitored and software is patched or updated promptly when new issues are reported.
Our last penetration test was conducted May 2024 by Vumetric.
Firewall
Our services are protected by firewalls provided by AWS and not directly exposted to the Internet.
Corporate network
We run a zero-trust corporate network. There are no corporate resources or additional privileges from being on LoyaltyLion’s corporate network.
Mobile Device Management
We utilise Mobile Device Management systems for all computer and mobile assets owned by LoyaltyLion that are utilised by employees.
Subprocessors and key vendors
We audit our subprocessors and key vendors to ensure they maintain suitable security. Many of our vendors have SOC2 or similar. More on our subprocessors below.
Data
Data storage
LoyaltyLion data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and only available to the systems that require them.
Backups
We maintain secure encrypted backups of important data for up to 90 days. We do not retroactively remove deleted data from backups as we may need to restore it, if removed accidentally.
Backups are stored in two locations for redundancy purposes.
Authentication
Passwords
We store passwords in a form that cannot be retrieved.
User roles
We provide user roles with different permissions levels within the product. Admin, and user which limits visibility of Personally Identifiable Information (PII).
Single Sign-On
We use a centralised identity provider to maintain user access to all enterprise systems within the business. This enables LoyaltyLion to quickly grant and revoke access to key systems, and ensure the minimum required privileges are maintained for users.
Encryption
HTTPS
All LoyaltyLion web traffic is served over HTTPS.
Encryption
Our primary databases, including backups are fully encrypted at rest. In addition, data is encrypted in transit. We use industry standard encryption algorithms.
Policies
Policies
LoyaltyLion has a wide set of security policies covering a range of topics. Our policies are reviewed frequently, shared with, and accepted by employees.
Policies include:
- Acceptable Use
- Access Control
- Backup and Restoration
- Business Continuity and Disaster Recovery
- Change Management
- Corporate Ethics
- Customer Support and SLA
- Data Retention and Disposal
- Incident Management
- Information Classification
- Information Security
- Key Management and Cryptography
- Mobile Device Management
- Network Security
- Personnel Security
- Risk Assessment
- Server Security
- Software Development
- Vendor Management
- Vulnerability and Penetration Testing Management
- Workstation and Mobile Device
Incident response
LoyaltyLion has appropriate policies and controls for responding to security events.
Security training
Employees are required to review and accept our policies. We track their acceptance on our Security Assurance Platform, Tugboat Logic.
Employee vetting
We conduct employee reference checks.
PCI compliance
All credit card payments made to LoyaltyLion are processed by our partner, Stripe. More information about Stripes security posture and PCI compliance can be found at at their Security page.
Disclosure
If you have any concerns or discover a security or privacy issue, please email us at privacy@loyaltylion.com and we will quickly investigate.
Privacy
Data Protection Officer
LoyaltyLion has appointed a professional Data Protection Officer, Mark Gracey GDPR, to ensure that it remains current with the data protection requirements of the business.
EU & Swiss Data Representative
For our EU Data Subjects, we have appointed an EU Data Representative, DataRep. EU Data Subjects can submit enquiries to our EU Data Representative, here.
Data Protection Impact Assessment (DPIA)
LoyaltyLion has a DPIA that documents our handing of all your data, including personal data.
Register of Processing Activities
We maintain a register of processing activities from Processor and Controller perspectives.
Data Protection Addendums
We have acquired signed Data Protection Addendums with all of our sub-processors.
Personal data
Personal Data may include, but is not limited to:
- First and last name
- Contact information (e.g. email, billing address, shipping address, ‘phone number(s))
- Suffix
- Timezone (e.g. user preference or derived from contact information)
- Geolocation of the customer (e.g city, country, timezone)
- Date of birth
- Purchase history including product description and values