Six interconnected capability layers — all API-first, all self-service, and all built to the engineering standards that regulated industries and large-scale operations actually require.
The LoyaltyOS ledger is append-only and immutable. Every accrual, conversion, redemption, expiry, and manual adjustment creates a LedgerEntry row — no entry is ever updated or deleted. Balance is derived from a snapshot query, not a mutable field. Competitors cannot offer this guarantee.
LedgerEntry model — no mutable balance fieldsLedgerTransaction grouping — all-or-nothing across entries{
"id": "le_01HX9Z...",
"tenantId": 42,
"customerId": "cust_8f3a...",
"transactionId": "txn_c2e1...",
"entryType": "EARN",
"signedAmount": 350,
"runningBalance": 2850,
"referenceOrderId": "ord_9k2p...",
"ruleSetId": "rs_v3_base",
"status": "COMMITTED",
"createdAt": "2026-05-28T09:14:02Z",
// — never updated, never deleted —
}
A purpose-built DSL powered by an ANTLR4 grammar with a sandboxed evaluator. Tenants write, version, and test rules without engineering support — and without risking the ledger.
Rules read like business logic, not code. Designed to be authored by loyalty programme managers, reviewed in version control, and deployed without a developer.
DynamicExpresso on Starter/Growth; Wasmtime hardware-isolated sandbox on Scale/Enterprise. A misbehaving rule cannot access the filesystem, network, or other tenant data — architecturally impossible, not just restricted by policy.
No rule can block the ingestion pipeline. A static complexity budget (10,000 units) is enforced at save time — rules that would exceed the timeout are rejected before they're ever evaluated live.
Test a rule against real order data without writing to the ledger. Inspect the evaluation trace, see exactly which conditions matched, and preview the points outcome — all before going live.
Split live order traffic between two rule sets deterministically using HMAC-based assignment. Run a controlled experiment on your earn rate, measure the outcome in GraphQL, and promote the winner — without a code deploy.
Every rule set change is versioned and attributed. Roll back to any previous version. See who changed what, when, and why — with mandatory change reason codes on Tenant Admin-class edits.
Every competitor in the enterprise loyalty market provides REST-only reporting. LoyaltyOS ships a full GraphQL API with real-time WebSocket subscriptions — so your dashboards update the moment a transaction commits.
/graphql/v1 — Hot Chocolate serverdataAsOf staleness metadata on every responserulePerformance query with up to 12-month lookbacksubscription LiveTransactions { transactionCreated(tenantId: "acme-retail") { id customer { id tier pointsBalance } entries { entryType signedAmount status } dataAsOf createdAt } } # — updates pushed over WebSocket # — the moment each transaction commits
Native CDC feeds push loyalty data directly into your warehouse of choice — with PII governance, DPA workflow, and application-level encryption built in. No third-party tooling, no Hightouch, no scheduled exports.
CDC-based feeds target end-to-end latency under 5 minutes on Growth and above. Scale tier SLA tightens the read store projection lag alert threshold to 30 seconds.
Configure which customer PII fields are excluded from warehouse feeds. Changes propagate to the next CDC batch. DPA confirmation workflow included at no additional charge.
Export full historical loyalty data across any date range to your warehouse. Useful for bootstrapping a new connector or recovering from a failed sync. Available on Scale and Enterprise tiers.
Customers, transactions, orders, rule evaluations, tier history, and webhook deliveries — all available as individual CDC feed subjects on Scale and Enterprise.
Application-level AES-256 DEK per export file, tenant KEK stored in Azure Key Vault. Your warehouse data is encrypted at the application layer — independent of storage-level encryption.
US, EU, and APAC regions available. EU data residency with GDPR DPA and Standard Contractual Clauses included on Growth and above — no additional charge.
Security at LoyaltyOS is not a feature layer added on top — it is built into the data model, the event bus, and the key management architecture from the ground up.
Every customer's PII fields are encrypted with a unique AES-256 Data Encryption Key (DEK), itself encrypted under a per-tenant Key Encryption Key (KEK) stored in Azure Key Vault. Compromise of one DEK cannot affect any other customer record.
To satisfy a right-to-erasure request, the customer's DEK is destroyed in Azure Key Vault. All encrypted PII fields become permanently irrecoverable — without touching the immutable ledger. The audit trail survives; the personal data does not.
The event schema registry enforces a CI gate that rejects any event schema containing PII field definitions. PII cannot reach the event bus — not by policy restriction, but by schema validation at publish time.
All webhook deliveries are signed with a timestamp-bound HMAC-SHA256 signature. SSRF protection prevents webhook endpoints from targeting internal network addresses. Secrets rotate with a configurable grace period to prevent delivery interruption.
API keys are stored as Argon2id hashes — the OWASP-recommended memory-hard algorithm that resists GPU and ASIC brute-force attacks. Raw keys are shown once at creation and never stored in plaintext.
All Super Admin operations (tenant provisioning, role escalation, key management) require FIDO2 hardware key authentication and dual-operator approval. No single administrator can perform destructive operations unilaterally.
All tenant-scoped administrative actions are written to an immutable audit log with Legal Hold. Records are retained for a minimum of 7 years and cannot be deleted by tenant administrators or platform operators.
All inter-service communication within the Kubernetes cluster is encrypted with mutual TLS via Linkerd — automatic, near-zero configuration, and sub-millisecond overhead. No service can communicate with another without a valid certificate.
SDK generation available in TypeScript, Python, Java, and C#. OpenAPI 3.1 spec published at /openapi/v1.json.
Provision a sandbox tenant in under 60 seconds. Full API access, sample data pre-loaded, DSL simulator enabled, and a separate GraphQL endpoint with introspection on.