We're commited to keeping your data secure, your private information private, and being transparent about our practices as a bussinnes
Security is the top priority for Voucherify. We understand that your account may contain sensitive data regarding your marketing campaigns and we’re very protective of it. We have created this page to give you confidence in how we secure the data entrusted to us.
Most Voucherify services operate on Amazon servers (AWS). Amazon’s data centers employ a set of advanced physical, network and software security measures to ensure integrity and safety of customers’ data. Among others, these measures include: secure SSL protected access, multi-factor authentication, encryption at rest using an AES256 algorithm. All production components used by Voucherify run within a secure AWS VPC.
A part of our infrastructure is hosted on Heroku Private Spaces (HPS). This platform provides a network-level isolated platform with additional trust controls for high compliance: keystroke logging for production access auditing, logging at the space level, encryption at rest for ephemeral data, and strict TLS enforcement.
Services hosted on AWS and HPS operate on private networks. The instances are placed in the same region as the AWS cluster and are connected via an encrypted tunnel, so your data is not transferred over public Internet at any time.
The access to data centers is limited with granular roles provided by AWS IAM (and a Heroku counterpart). Two-factor authentication provides an extra layer of security to both identity access managers.
Here is some general information on our security measures. In some places, we don’t want to reveal too much detail so as not to empower people we are protecting your data against.
** - For some time to come, we’ll be maintaining TLS 1.0 and 1.1, but they’re both deprecated and won’t be supported in the long run.
Our system infrastructure is updated regularly with the latest security patches. All of our servers run hardened patched operating systems. We hold regular penetration audits which test all software components that affect the overall security of the system. On top of that, our team keeps our software and its dependencies up-to-date, eliminating potential security vulnerabilities. These activities are part of Security Development Lifecycle, a broader process we implemented to assess risk in the platform.
Voucherify is making the commitment to never sell data in Voucherify to third parties, so long as Voucherify exists. Moreover, we adhere to all of the guiding principles of the GDPR that will go live at the end of May 2018. That includes the right:
To learn more, visit "How to perform GDPR related tasks” in your Voucherify account
Voucherify uses only trusted and reliable vendors. We have signed data processing agreements with all partners who subprocess any of your sensitive data. This approach makes our platform fully GDPR compliant, so you can be certain that your data are neither stored nor processed in a non-secure environment.
Note: Besides AWS and HPS, your end-customer data are not transferred to any 3rd party provider.
If you have any concerns or questions, please email our data protection office at firstname.lastname@example.org. And if you want to have your DPA informed about any possible issues with data on your Voucherify account, submit their contact information here.
Note: The signed Data Processing Agreement document can be downloaded here.
Here’s a complete list of data processing and web analytics services used by Voucherify:
Note: Voucherify undergoes regular PCI Scans performed by ASV Scan. Any uncovered vulnerability is prioritized, resolved, and deployed as soon as possible following discovery.
All the data stored in Voucherify is backed up daily. It’s also replicated across several servers to ensure availability even in the unlikely event of one server going down.
Voucherify team access is controlled by a carefully managed and audited security policy. The access rules strictly define which team members can access respective parts of the platform - the access is based on the principle of least privilege. Every access endeavor requires two-factor authentication and is tracked by the system. Additionally, our authentication mechanism requires a password policy compliant with PCI, access tokens rotation, and encrypted access keys stored in a password manager or Amazon KMS. All employees receive tools and training for handling sensitive data (including credentials) and for avoiding social engineering and other non-technical attacks.
Our payment processor, Braintree, is a validated Level 1 PCI DSS Compliant Service Provider. Additionally, they are on Visa’s Global Compliant Provider List and MasterCard’s SDP List. They conduct regular automated vulnerability scans and have extended external penetration testing conducted by outside sources. No credit card information or related personal information is stored on our servers.
We strive for 99.99% uptime across all our products and to support that, we host our monitoring and logging systems outside of AWS and employ a variety of tools to accurately monitor and report on any anomaly that could impact the delivery of our services.