LoyaltySurf Security

Protecting and securing data at LoyaltySurf is our top priority.

Infrastructure

System architecture

LoyaltySurf’s architecture is designed to be secure and reliable.

We require the use of a firewall and whitelisted IP addresses, and the use of network load balancers in order to optimize the bandwidth available per each server. We regularly monitor incoming and outgoing data using Network and Graph analytics provided by third-party tools, such as Google Cloud Platform, Digital Ocean, and DataDog. We utilize networking tools such as Cloudflare for firewall and whitelisting utilities that prevent, minimize, and alert of network attacks.

Services are accessible only by other services that require access. Access keys are rotated regularly and stored separately from our code and data.

Data centers

Our application is hosted and managed within Digital Ocean (DO) secure data centers. These data centers have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2
  • PCI-DSS

We make extensive use of the capabilities and services provided by DO to increase privacy and control network access throughout our system. You may view Digital Ocean Trust Certificates here.

Vulnerability scans

LoyaltySurf uses security tools to continuously scan for vulnerabilities. Additionally, vulnerabilities in third-party libraries and tools are monitored and software is patched or updated promptly when new issues are reported.

Firewall and Security

Our servers are protected by firewalls and not directly exposed to the Internet.

Corporate network

LoyaltySurf runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on LoyaltySurf’s corporate network.

Data

Data storage

LoyaltySurf data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and only available to the systems that require them. Additionally, production environments are sandboxed from testing environments.

For more information, please see section PERSONAL INFORMATION WE COLLECT ABOUT USERS AND PARTICIPANTS on our Privacy Policy.

Our servers are located in the states of California and Oregon, United States of America, unless our customer agreements specify otherwise. We utilize cloud providers like Google Cloud and Digital Ocean.

Backups

For data storage, we retain daily backups. Data is retained from 30-60 days, depending on the subprocessor. We do not retroactively remove deleted data from backups as we may need to restore it, if removed accidentally.

Logs

We aggregate logs to secure encrypted storage. All sensitive information (including passwords, API keys, and security questions) is filtered from our server logs.

Processing LoyaltySurf processes data only to fulfill its obligations as related to the Services outlined in our Terms of Service. All personal information for LoyaltySurf users and participants are shared to the minimal extent. Please see section HOW AND WHY WE USE YOUR PERSONAL INFORMATION in our Privacy Policy
Sharing with third parties We only share data with the vendors listed in the subprocessors section on the LoyaltySurf GDPR Portal.
Breaches Our internal GDPR and CCPA Compliance processes cover protocols for data breaches, user policies, and more.

Authentication

Passwords

We never store passwords in a form that can be retrieved. Instead, we store an irreversible cryptographic hash using a function specifically designed for this purpose. Authentication sessions are invalidated when users change key information and sessions automatically expire after a period of inactivity.

Monitoring

We monitor and rate limit authentication attempts on all accounts.

User roles

We provide multiple user roles with different permissions levels within the product. Roles vary from account owners, to admins, users, and roles that limit visibility of Personally Identifiable Information (PII).

Encryption

HTTPS

All LoyaltySurf web traffic is served over HTTPS. We force HTTPS for all web resources, including our REST API, web app and public website. We also use HSTS to ensure that browsers communicate with our services using HTTPS exclusively.

Encryption

We encrypt all data in transit over the HTTPS network protocol.

Certain sensitive information such as third-party API keys and Webhook secrets are encrypted at rest via SHA-256.

Policies

Policies

LoyaltySurf has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with employees.

Topics include, but are not limited to, general internal protocols, password and security/network policies for LoyaltySurf employees, including handling sensitive customer data.

Incident response

LoyaltySurf has a defined protocol for responding to security events.

Security training

All employees complete security training when they join and are continually refreshed.

Employee vetting

LoyaltySurf performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.

Confidentiality

All employees have signed confidentiality agreement with LoyaltySurf.

PCI compliance

All credit card payments paid to LoyaltySurf go through our payment processing partner, Stripe. Details about their security posture and PCI compliance can be found at Stripe’s Security page.

Disclosure

If you have any concerns or discover a security issue, please contact us directly. Our Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution. We request that you do not publicly disclose any issue you discovered until after we have addressed it.

Other

Business continuity process Our internal Business Continuity Process (BCP) outlines protocols in the event of a disruption to normal operations.
Disaster recovery process Our internal Disaster Recovery Process (DRP) outlines protocols to restore data in the event of disasters.
Security questionnaire request policy Please note, LoyaltySurf only accomodates security questionnaire requests, modified DPA requests, or any other legal/vendor requirements for customers on our annual plans. If you have bespoke legal and compliance needs, please get in touch with sales.
GDPR compliance powered by ComplyDog