We use cookies to help us improve, promote, and protect our services. By continuing to use the site, you agree to our cookie policy.

Accept

Policies and Procedures

We're commited to keeping your data secure, your private information private, and being transparent about our practices as a bussinnes

Security policy

You can trust us with your data

Our data center partners and subprocessors are all GDPR compliant
We regularly test our infrastructure for security issues and exploits
We limit access to specific projects with granular roles and API keys
In compliance with Payment Card Industry Data Security Standard
(In-progress)

Security is the top priority for Voucherify. We understand that your account may contain sensitive data regarding your marketing campaigns and we’re very protective of it. We have created this page to give you confidence in how we secure the data entrusted to us.

Data Center Security

Most Voucherify services operate on Amazon servers (AWS). Amazon’s data centers employ a set of advanced physical, network and software security measures to ensure integrity and safety of customers’ data. Among others, these measures include: secure SSL protected access, multi-factor authentication, encryption at rest using an AES256 algorithm. All production components used by Voucherify run within a secure AWS VPC.

More on AWS Security Center

A part of our infrastructure is hosted on Heroku Private Spaces (HPS). This platform provides a network-level isolated platform with additional trust controls for high compliance: keystroke logging for production access auditing, logging at the space level, encryption at rest for ephemeral data, and strict TLS enforcement.

More on Heroku Security Features

Services hosted on AWS and HPS operate on private networks. The instances are placed in the same region as the AWS cluster and are connected via an encrypted tunnel, so your data is not transferred over public Internet at any time.

The access to data centers is limited with granular roles provided by AWS IAM (and a Heroku counterpart). Two-factor authentication provides an extra layer of security to both identity access managers.

Application Level Security

Here is some general information on our security measures. In some places, we don’t want to reveal too much detail so as not to empower people we are protecting your data against.

  • All communications with Voucherify via our web application or APIs are transmitted over TLS (v1.2**) connections.
  • All customer data is encrypted at rest including: user email addresses, user passwords, and API keys.
  • For all customers, data is isolated from each other in separate applications, preventing any leakage or exchange of information.
  • Login pages and logins via the Voucherify API have brute force protection.
  • Voucherify logs important events in the system for audit and forensic analysis purposes. Audit logs are separate from system logs that track performance and network metrics. Complete audit logs of your Voucherify account may be browsed in the dashboard by users with administrative rights.
  • All changes to the code and infrastructure are reviewed to ensure they follow best practices and security guidelines (such as OWASP).
  • In our API, we support OAuth authentication and a UI for revoking tokens.
** - For some time to come, we’ll be maintaining TLS 1.0 and 1.1, but they’re both deprecated and won’t be supported in the long run.

Our system infrastructure is updated regularly with the latest security patches. All of our servers run hardened patched operating systems. We hold regular penetration audits which test all software components that affect the overall security of the system. On top of that, our team keeps our software and its dependencies up-to-date, eliminating potential security vulnerabilities. These activities are part of Security Development Lifecycle, a broader process we implemented to assess risk in the platform.

Data Protection

Voucherify is making the commitment to never sell data in Voucherify to third parties, so long as Voucherify exists. Moreover, we adhere to all of the guiding principles of the GDPR that will go live at the end of May 2018. That includes the right:

  • to be forgotten,
  • to know what data we have,
  • to not process data without consent.

To learn more, visit "How to perform GDPR related tasks” in your Voucherify account

Voucherify uses only trusted and reliable vendors. We have signed data processing agreements with all partners who subprocess any of your sensitive data. This approach makes our platform fully GDPR compliant, so you can be certain that your data are neither stored nor processed in a non-secure environment.

Note: Besides AWS and HPS, your end-customer data are not transferred to any 3rd party provider.

If you have any concerns or questions, please email our data protection office at compliance@voucherify.io. And if you want to have your DPA informed about any possible issues with data on your Voucherify account, submit their contact information here.

Note: The signed Data Processing Agreement document can be downloaded here.

Here’s a complete list of data processing and web analytics services used by Voucherify:

  • Data processing: Amazon Web Services, Salesforce, Google G Suite
  • Web analytics: Woopra, Google Analytics, Help Scout
Note: Voucherify undergoes regular PCI Scans performed by ASV Scan. Any uncovered vulnerability is prioritized, resolved, and deployed as soon as possible following discovery.

Data Backups

All the data stored in Voucherify is backed up daily. It’s also replicated across several servers to ensure availability even in the unlikely event of one server going down.

Backup retention:

  • User profile data, Users’ end-user’s profile data -> last 7 days
  • Campaigns’ details (voucher codes and other voucher parameters, campaigns’ parameters) -> last 3 months

Employee Access

Voucherify team access is controlled by a carefully managed and audited security policy. The access rules strictly define which team members can access respective parts of the platform - the access is based on the principle of least privilege. Every access endeavor requires two-factor authentication and is tracked by the system. Additionally, our authentication mechanism requires a password policy compliant with PCI, access tokens rotation, and encrypted access keys stored in a password manager or Amazon KMS. All employees receive tools and training for handling sensitive data (including credentials) and for avoiding social engineering and other non-technical attacks.

Payment Processing

Our payment processor, Braintree, is a validated Level 1 PCI DSS Compliant Service Provider. Additionally, they are on Visa’s Global Compliant Provider List and MasterCard’s SDP List. They conduct regular automated vulnerability scans and have extended external penetration testing conducted by outside sources. No credit card information or related personal information is stored on our servers.

Uptime & Availability

We strive for 99.99% uptime across all our products and to support that, we host our monitoring and logging systems outside of AWS and employ a variety of tools to accurately monitor and report on any anomaly that could impact the delivery of our services.

Additional information