Platform Features

Everything an enterprise
loyalty programme needs.

Six interconnected capability layers — all API-first, all self-service, and all built to the engineering standards that regulated industries and large-scale operations actually require.

Financial-grade integrity. Not just a running total.

The LoyaltyOS ledger is append-only and immutable. Every accrual, conversion, redemption, expiry, and manual adjustment creates a LedgerEntry row — no entry is ever updated or deleted. Balance is derived from a snapshot query, not a mutable field. Competitors cannot offer this guarantee.

  • Append-only LedgerEntry model — no mutable balance fields
  • Atomic LedgerTransaction grouping — all-or-nothing across entries
  • PENDING / COMMITTED / FAILED state machine with full transition history
  • Snapshot-based balance queries — consistent under concurrent writes
  • Fractional points with configurable rounding (up, down, half-even)
  • Order cancellation and refund with proportional void
  • Points expiry: no-expiry, rolling, fixed, and vintage expiry models
  • Manual adjustment API with mandatory reason code and manager authorisation
  • Credit redemption reversals with configurable reversal window
ledger_entry.json
{
  "id": "le_01HX9Z...",
  "tenantId": 42,
  "customerId": "cust_8f3a...",
  "transactionId": "txn_c2e1...",
  "entryType": "EARN",
  "signedAmount": 350,
  "runningBalance": 2850,
  "referenceOrderId": "ord_9k2p...",
  "ruleSetId": "rs_v3_base",
  "status": "COMMITTED",
  "createdAt": "2026-05-28T09:14:02Z",
  // — never updated, never deleted —
}
Entry Types
9
EARN, CONVERT, CREDIT, REDEEM, EXPIRE, VOID, REVERSE, ADJUST, BONUS
Retention (Enterprise)
10 years
Custom retention per contract
Ledger Capacity (Scale)
5 billion
Entries per tenant; 10B+ on Enterprise
Balance Consistency
Snapshot
No mutable balance field — ever
Transaction Atomicity
Full ACID
Azure SQL backed; EF Core transactions
Expiry Models
4
None · Rolling · Fixed · Vintage
Rules Engine

Write rules in English.
Run them in 50ms.

A purpose-built DSL powered by an ANTLR4 grammar with a sandboxed evaluator. Tenants write, version, and test rules without engineering support — and without risking the ledger.

📝

Human-Readable DSL

Rules read like business logic, not code. Designed to be authored by loyalty programme managers, reviewed in version control, and deployed without a developer.

ANTLR4 GrammarVersion-Controlled
🧱

Sandboxed Evaluation

DynamicExpresso on Starter/Growth; Wasmtime hardware-isolated sandbox on Scale/Enterprise. A misbehaving rule cannot access the filesystem, network, or other tenant data — architecturally impossible, not just restricted by policy.

DynamicExpressoWasmtime
⏱️

50ms Hard Evaluation Timeout

No rule can block the ingestion pipeline. A static complexity budget (10,000 units) is enforced at save time — rules that would exceed the timeout are rejected before they're ever evaluated live.

50ms WallComplexity Budget
🧪

Dry-Run Simulation

Test a rule against real order data without writing to the ledger. Inspect the evaluation trace, see exactly which conditions matched, and preview the points outcome — all before going live.

No Ledger WritesEvaluation Trace
🎲

A/B Traffic Splitting

Split live order traffic between two rule sets deterministically using HMAC-based assignment. Run a controlled experiment on your earn rate, measure the outcome in GraphQL, and promote the winner — without a code deploy.

Deterministic HMACGrowth+ tier
📋

Rule Versioning & Audit History

Every rule set change is versioned and attributed. Roll back to any previous version. See who changed what, when, and why — with mandatory change reason codes on Tenant Admin-class edits.

Full HistoryRollback
Reporting

GraphQL. Because your dashboards
shouldn't run on polling.

Every competitor in the enterprise loyalty market provides REST-only reporting. LoyaltyOS ships a full GraphQL API with real-time WebSocket subscriptions — so your dashboards update the moment a transaction commits.

  • Full GraphQL API at /graphql/v1 — Hot Chocolate server
  • DataLoader — eliminates N+1 query patterns across nested resolvers
  • Cursor-based pagination on all collection types
  • Real-time WebSocket subscriptions for live dashboards
  • dataAsOf staleness metadata on every response
  • Persisted queries (server-side allow-listing) on Scale+
  • GraphQL query complexity budget: 500 units (750 on Scale+)
  • rulePerformance query with up to 12-month lookback
  • A/B rule set performance comparison dashboard on Growth+
  • Separate sandbox GraphQL endpoint with introspection enabled
  • Reporting data retention: 12 months (Starter) → 84 months (Scale)
query.graphql
subscription LiveTransactions {
  transactionCreated(tenantId: "acme-retail") {
    id
    customer { id tier pointsBalance }
    entries {
      entryType
      signedAmount
      status
    }
    dataAsOf
    createdAt
  }
}

# — updates pushed over WebSocket
# — the moment each transaction commits
Data Warehouse

Your loyalty data.
In your warehouse. In real time.

Native CDC feeds push loyalty data directly into your warehouse of choice — with PII governance, DPA workflow, and application-level encryption built in. No third-party tooling, no Hightouch, no scheduled exports.

❄️ Snowflake
📊 Google BigQuery
🔷 Azure Synapse / Fabric
🔴 Amazon Redshift

≤5 Minute Latency

CDC-based feeds target end-to-end latency under 5 minutes on Growth and above. Scale tier SLA tightens the read store projection lag alert threshold to 30 seconds.

PII Exclusion Lists

Configure which customer PII fields are excluded from warehouse feeds. Changes propagate to the next CDC batch. DPA confirmation workflow included at no additional charge.

Backfill API

Export full historical loyalty data across any date range to your warehouse. Useful for bootstrapping a new connector or recovering from a failed sync. Available on Scale and Enterprise tiers.

6 CDC Feed Subjects

Customers, transactions, orders, rule evaluations, tier history, and webhook deliveries — all available as individual CDC feed subjects on Scale and Enterprise.

Envelope-Encrypted Exports

Application-level AES-256 DEK per export file, tenant KEK stored in Azure Key Vault. Your warehouse data is encrypted at the application layer — independent of storage-level encryption.

Data Residency Selection

US, EU, and APAC regions available. EU data residency with GDPR DPA and Standard Contractual Clauses included on Growth and above — no additional charge.

Security & Compliance

GDPR compliance as
an engineering discipline.

Security at LoyaltyOS is not a feature layer added on top — it is built into the data model, the event bus, and the key management architecture from the ground up.

🔑 Per-Customer DEK/KEK Envelope Encryption

Every customer's PII fields are encrypted with a unique AES-256 Data Encryption Key (DEK), itself encrypted under a per-tenant Key Encryption Key (KEK) stored in Azure Key Vault. Compromise of one DEK cannot affect any other customer record.

🔥 Cryptographic Erasure (GDPR Article 17)

To satisfy a right-to-erasure request, the customer's DEK is destroyed in Azure Key Vault. All encrypted PII fields become permanently irrecoverable — without touching the immutable ledger. The audit trail survives; the personal data does not.

🚫 PII-Free Event Bus

The event schema registry enforces a CI gate that rejects any event schema containing PII field definitions. PII cannot reach the event bus — not by policy restriction, but by schema validation at publish time.

🪝 HMAC-Signed Webhook Delivery

All webhook deliveries are signed with a timestamp-bound HMAC-SHA256 signature. SSRF protection prevents webhook endpoints from targeting internal network addresses. Secrets rotate with a configurable grace period to prevent delivery interruption.

🔐 Argon2id API Key Hashing

API keys are stored as Argon2id hashes — the OWASP-recommended memory-hard algorithm that resists GPU and ASIC brute-force attacks. Raw keys are shown once at creation and never stored in plaintext.

🛡️ Super Admin FIDO2 + 4-Eyes Approval

All Super Admin operations (tenant provisioning, role escalation, key management) require FIDO2 hardware key authentication and dual-operator approval. No single administrator can perform destructive operations unilaterally.

📋 Write-Once Audit Log with Legal Hold

All tenant-scoped administrative actions are written to an immutable audit log with Legal Hold. Records are retained for a minimum of 7 years and cannot be deleted by tenant administrators or platform operators.

🔗 mTLS Service Mesh (Linkerd)

All inter-service communication within the Kubernetes cluster is encrypted with mutual TLS via Linkerd — automatic, near-zero configuration, and sub-millisecond overhead. No service can communicate with another without a valid certificate.

Integrations

Pre-built for the platforms
your team already runs on.

🛍️ Salesforce Commerce Cloud (certified cartridge)
📦 Salesforce OMS (field mapping templates)
🏪 Shopify (REST + webhook adapter)
🔧 commercetools (native connector)
🟠 Magento 2 (certified extension)
🏢 SAP Commerce Cloud
🔵 Microsoft Entra ID / Azure AD
🔐 Okta (SAML 2.0 + OIDC)
🔑 Auth0
📨 Azure Service Bus
🗂️ Apache Kafka (Scale+)
📡 OpenTelemetry (traces, metrics, logs)

SDK generation available in TypeScript, Python, Java, and C#. OpenAPI 3.1 spec published at /openapi/v1.json.

See every feature
in a live sandbox.

Provision a sandbox tenant in under 60 seconds. Full API access, sample data pre-loaded, DSL simulator enabled, and a separate GraphQL endpoint with introspection on.

Open the Sandbox → View Pricing