You can trust us with your data
Our data center partners and subprocessors are all GDPR-compliant.
We regularly test our infrastructure for security issues and exploits.
We limit access to specific projects with granular roles and API keys.
We use certified payment processors (Braintree and Stripe) to remain compliant with Payment Card Industry Data Security Standard (PCI) for processing payments for Voucherify subscriptions. In the standard workflow, Voucherify clients do not operate credit cards or payments as Voucherify is not used as a payment processor.
Security is the top priority for Voucherify. We understand that your account may contain sensitive data regarding your marketing campaigns and we’re very protective of it. We have created this page to give you confidence in how we secure the data entrusted to us.
ISO 27001 Certification
Our commitment to keeping your data secure is demonstrated by the ISO/IEC 27001 certification. By following the best practices and all applicable policies that ensure the highest security of your data, we help our clients mitigate a wide range of security threats in order to ensure business continuity, minimize business risks and maximize return on investment.
Data Center Security
Most Voucherify services operate on Amazon servers (AWS). Amazon’s data centers employ a set of advanced physical, network and software security measures to ensure integrity and safety of customers’ data. Among others, these measures include: secure SSL protected access, multi-factor authentication, encryption at rest using an AES256 algorithm. All production components used by Voucherify run within a secure AWS VPC.
A part of our infrastructure is hosted on Heroku Private Spaces (HPS). This platform provides a network-level isolated platform with additional trust controls for high compliance: keystroke logging for production access auditing, logging at the space level, encryption at rest for ephemeral data, and strict TLS enforcement.
More on Heroku Security Features.
Services hosted on AWS and HPS operate on private networks. The instances are placed in the same region as the AWS cluster and are connected via an encrypted tunnel, so your data is not transferred over public Internet at any time.
The access to data centers is limited with granular roles provided by AWS IAM (and a Heroku counterpart). Two-factor authentication provides an extra layer of security to both identity access managers.
Application-level Security
Here is some general information on our security measures. In some places, we don’t want to reveal too much detail so as not to empower people we are protecting your data against.
- All communications with Voucherify via our web application or APIs are transmitted over TLS (v1.2**) connections.
- All customer data is encrypted at rest including: user email addresses, user passwords, and API keys.
- For all customers, data is isolated from each other in separate applications, preventing any leakage or exchange of information.
- Login pages and logins via the Voucherify API have brute force protection.
- Voucherify logs important events in the system for audit and forensic analysis purposes. Audit logs are separate from system logs that track performance and network metrics. Complete audit logs of your Voucherify account may be browsed in the dashboard by users with administrative rights.
- All changes to the code and infrastructure are reviewed to ensure they follow best practices and security guidelines (such as OWASP).
- In our API, we support OAuth authentication and a UI for revoking tokens.
Our system infrastructure is updated regularly with the latest security patches. All of our servers run hardened patched operating systems. We hold regular penetration audits which test all software components that affect the overall security of the system. On top of that, our team keeps our software and its dependencies up-to-date, eliminating potential security vulnerabilities. These activities are part of Security Development Lifecycle, a broader process we implemented to assess risk in the platform.
Data Protection
Voucherify is making the commitment to never sell data in Voucherify to third parties, so long as Voucherify exists. Moreover, we adhere to all of the guiding principles of the GDPR that will go live at the end of May 2018. That includes the right:
- To be forgotten.
- To know what data we have.
- Not to process data without consent.
To learn more, visit How to perform GDPR related tasks in your Voucherify account.
Voucherify uses only trusted and reliable vendors. We have signed data processing agreements with all partners who subprocess any of your sensitive data. This approach makes our platform fully GDPR compliant, so you can be certain that your data are neither stored nor processed in a non-secure environment.
Note: Besides AWS and HPS, your end-customer data are not transferred to any 3rd party provider.
If you have any concerns or questions, please email our data protection office at compliance@voucherify.io. And if you want to have your DPA informed about any possible issues with data on your Voucherify account, submit their contact information here.
Note: The signed Data Processing Agreement document can be downloaded here.
Here’s a complete list of data processing and web analytics services used by Voucherify:
- Data processing: Amazon Web Services, Salesforce, Google G Suite.
- Web analytics: Woopra, Google Analytics, Help Scout.
Note: Voucherify undergoes regular PCI Scans performed by ASV Scan. Any uncovered vulnerability is prioritized, resolved, and deployed as soon as possible following discovery.
Data Backups
All the data stored in Voucherify is backed up daily. It’s also replicated across several servers to ensure availability even in the unlikely event of one server going down.
Backup retention:
- User profile data, Users’ end-user’s profile data -> last 7 days
- Campaigns’ details (voucher codes and other voucher parameters, campaigns’ parameters) -> last 3 months
Employee Access
Voucherify team access is controlled by a carefully managed and audited security policy. The access rules strictly define which team members can access respective parts of the platform – the access is based on the principle of least privilege. Every access endeavour requires two-factor authentication and is tracked by the system. Additionally, our authentication mechanism requires a password policy compliant with PCI, access tokens rotation, and encrypted access keys stored in a password manager or Amazon KMS. All employees receive tools and training for handling sensitive data (including credentials) and for avoiding social engineering and other non-technical attacks.
Payment Processing
Our payment processor, Braintree, is a validated Level 1 PCI DSS Compliant Service Provider. Additionally, they are on Visa’s Global Compliant Provider List and MasterCard’s SDP List. They conduct regular automated vulnerability scans and have extended external penetration testing conducted by outside sources. No credit card information or related personal information is stored on our servers.
Uptime & Availability
We strive for 99.99% uptime across all our products and to support that, we host our monitoring and logging systems outside of AWS and employ a variety of tools to accurately monitor and report on any anomaly that could impact the delivery of our services.