Security overview

Hero Bg

Security frameworks
Infrastructure
Data
Authentication
Encryption
Policies
Privacy
Personal data

Security frameworks

SOC2 Type I

LoyaltyLion’s last SOC2 Type I audit was completed on 31 March 2025

Infrastructure

System architecture

LoyaltyLion operates a cloud-based network within Amazon Web Services (AWS), providing secure hosting for network and production systems.

Data centers

Our platform is hosted and managed with Amazon Web Services (AWS) secure data centers. These data centers have been accredited under:

ISO 27001
SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 – Type II)
PCI Level 1
FISMA Moderate
Sarbanes-Oxley (SOX)

We make significant use of the services provided by AWS to increase privacy and network access throughout our system. More information on AWS security is available at AWS Services in Scope.

Penetration Testing & Vulnerability Scanning

LoyaltyLion uses security tools & partners to regularly scan for vulnerabilities. Additionally, vulnerabilities in third-party libraries and tools are monitored and software is patched or updated promptly when new issues are reported.

Our last penetration test was conducted in August 2025 by Vumetric.

Firewall

Our services are protected by firewalls provided by AWS and not directly exposed to the Internet.

Corporate network

We run a zero-trust corporate network. There are no corporate resources or additional privileges from being on LoyaltyLion’s corporate network.

Mobile Device Management

We utilise Mobile Device Management systems for all computer and mobile assets owned by LoyaltyLion that are utilised by employees.

Subprocessors and key vendors

We audit our subprocessors and key vendors to ensure they maintain suitable security. Many of our vendors have SOC2 or similar. More on our subprocessors below.

Data

Data storage

LoyaltyLion data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and are only available to the systems that require them.

Backups

We maintain secure, encrypted backups of important data for up to 90 days. We do not retroactively remove deleted data from backups, as we may need to restore it if removed accidentally.

Backups are stored in two locations for redundancy purposes.

Authentication

Passwords

We store passwords in a form that cannot be retrieved.

User roles

We provide user roles with different permission levels within the product, admin, and user, which limit visibility of Personally Identifiable Information (PII).

Single Sign-On

We use a centralised identity provider to maintain user access to all enterprise systems within the business. This enables LoyaltyLion to quickly grant and revoke access to key systems and ensure the minimum required privileges are maintained for users.

Encryption

HTTPS

All LoyaltyLion web traffic is served over HTTPS.

Encryption

Our primary databases, including backups, are fully encrypted at rest. In addition, data is encrypted in transit. We use industry-standard encryption algorithms.

Policies

LoyaltyLion has a wide set of security policies covering a range of topics. Our policies are reviewed frequently, shared with, and accepted by employees.

Policies include:

Acceptable Use
Access Control
Backup and Restoration
Business Continuity and Disaster Recovery
Change Management
Corporate Ethics
Customer Support and SLA
Data Retention and Disposal
Incident Management
Information Classification
Information Security
Key Management and Cryptography
Mobile Device Management
Network Security
Personnel Security
Risk Assessment
Server Security
Software Development
Vendor Management
Vulnerability and Penetration Testing Management
Workstation and Mobile Device

Incident response

LoyaltyLion has appropriate policies and controls for responding to security events.

Security training

Employees are required to review and accept our policies. We track their acceptance on our Security Assurance Platform, Tugboat Logic.

Employee vetting

We conduct employee reference checks.

PCI compliance

All credit card payments made to LoyaltyLion are processed by our partner, Stripe. More information about Stripe’s security posture and PCI compliance can be found on their Security page.

Disclosure

If you have any concerns or discover a security or privacy issue, please email us at privacy@loyaltylion.com, and we will quickly investigate.

Privacy

Data Protection Officer
LoyaltyLion has appointed a professional Data Protection Officer, Mark Gracey GDPR, to ensure that it remains current with the data protection requirements of the business.
EU & Swiss Data Representative
For our EU Data Subjects, we have appointed an EU Data Representative, DataRep. EU Data Subjects can submit enquiries to our EU Data Representative, here.
Data Protection Impact Assessment (DPIA)
LoyaltyLion has a DPIA that documents our handling of all your data, including personal data.
Register of Processing Activities
We maintain a register of processing activities from Processor and Controller perspectives.
Data Protection Addendums
We have acquired signed Data Protection Addendums with all of our sub-processors.

Personal data

Personal Data may include, but is not limited to:

First and last name
Contact information (e.g. email, billing address, shipping address, ‘phone number(s))
Suffix
Timezone (e.g. user preference or derived from contact information)
Geolocation of the customer (e.g city, country, timezone)
Date of birth
Purchase history, including product description and values

Got questions? Let’s talk

Rated #1 for loyalty on G2 and trusted by brands worldwide for over 10 years, let’s scale your business together. Get in touch today!

Talk to us