SOC2 Type I
LoyaltyLion has completed a SOC2 Type I audit as of 31 October 2021.
LoyaltyLion operates a cloud-based network within Amazon Web Services (AWS), which provides secure hosting of network and production systems.
Our platform is hosted and managed with Amazon Web Services (AWS) secure data centers. These data centers have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 – Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
We make significant use of the services provided by AWS to increase privacy and network access throughout our system. More information on AWS security is available at AWS Services in Scope.
Penetration Testing & Vulnerability Scanning
LoyaltyLion uses security tools & partners to regularly scan for vulnerabilities. Additionally, vulnerabilities in third-party libraries and tools are monitored and software is patched or updated promptly when new issues are reported.
Our last penetration test was conducted August 2021 by Vumetric.
Our services are protected by firewalls provided by AWS and not directly exposted to the Internet.
We run a zero-trust corporate network. There are no corporate resources or additional privileges from being on LoyaltyLion’s corporate network.
Mobile Device Management
We utilise Mobile Device Management systems for all computer and mobile assets owned by LoyaltyLion that are utilised by employees.
Subprocessors and key vendors
We audit our subprocessors and key vendors to ensure they maintain suitable security. Many of our vendors have SOC2 or similar. More on our subprocessors below.
LoyaltyLion data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and only available to the systems that require them.
We maintain secure encrypted backups of important data for up to 90 days. We do not retroactively remove deleted data from backups as we may need to restore it, if removed accidentally.
Backups are stored in two locations for redundancy purposes.
We store passwords in a form that cannot be retrieved.
We provide user roles with different permissions levels within the product. Admin, and user which limits visibility of Personally Identifiable Information (PII).
We use a centralised identity provider to maintain user access to all enterprise systems within the business. This enables LoyaltyLion to quickly grant and revoke access to key systems, and ensure the minimum required privileges are maintained for users.
All LoyaltyLion web traffic is served over HTTPS.
Our primary databases, including backups are fully encrypted at rest. In addition, data is encrypted in transit. We use industry standard encryption algorithms.
LoyaltyLion has a wide set of security policies covering a range of topics. Our policies are reviewed frequently, shared with, and accepted by employees.
- Acceptable Use
- Access Control
- Backup and Restoration
- Business Continuity and Disaster Recovery
- Change Management
- Corporate Ethics
- Customer Support and SLA
- Data Retention and Disposal
- Incident Management
- Information Classification
- Information Security
- Key Management and Cryptography
- Mobile Device Management
- Network Security
- Personnel Security
- Risk Assessment
- Server Security
- Software Development
- Vendor Management
- Vulnerability and Penetration Testing Management
- Workstation and Mobile Device
LoyaltyLion has appropriate policies and controls for responding to security events.
Employees are required to review and accept our policies. We track their acceptance on our Security Assurance Platform, Tugboat Logic.
We conduct employee reference checks.
If you have any concerns or discover a security or privacy issue, please email us at email@example.com and we will quickly investigate.
Data Protection Officer
LoyaltyLion has appointed a professional Data Protection Officer, Mark Gracey GDPR, to ensure that it remains current with the data protection requirements of the business.
EU Data Representative
Data Protection Impact Assessment (DPIA)
LoyaltyLion has a DPIA that documents our handing of all your data, including personal data.
Register of Processing Activities
We maintain a register of processing activities from Processor and Controller perspectives.
Data Protection Addendums
We have acquired signed Data Protection Addendums with all of our sub-processors.
Personal Data may include, but is not limited to:
- First and last name
- Contact information (e.g. email, billing address, shipping address, ‘phone number(s))
- Timezone (e.g. user preference or derived from contact information)
- Geolocation of the customer (e.g city, country, timezone)
- Date of birth
- Purchase history including product description and values