Trust & Security

Security built into
the architecture.

Privacy and audit integrity aren't bolted on at the end — they're how the platform is built. Below are the controls implemented today, our honest compliance status, our sub-processors, and the documents your security team needs.

A full SOC 2 report lands alongside our Type I assessment (in progress). Every claim on this page maps to a control already in the codebase — nothing here is aspirational. Need detail we haven't published? Just ask, or email security@loyaltyos.example.

Implemented Controls

What protects your data today.

ENCRYPT

Envelope encryption

Per-customer AES-256 data keys, each wrapped by a per-tenant key-encryption-key in Azure Key Vault. No two tenants share a key blast radius.

ERASE

Cryptographic erasure

GDPR right-to-erasure by destroying the key, not chasing rows. PII becomes irrecoverable while the immutable ledger stays intact.

NO-PII BUS

PII-free event bus

No personal data in event payloads — enforced by a schema-registry CI gate. Email identity uses HMAC-SHA256 hashing.

mTLS

Encrypted in transit

Mutual TLS between all services via the mesh; TLS for every external API. Authenticated and encrypted by default.

ARGON2ID

Hardened credentials

API keys and Widget Tokens hashed with Argon2id. Webhooks signed with timestamp-bound HMAC-SHA256, with SSRF protection and RFC-1918 blocking.

FIDO2 + 4-EYES

Super-admin protection

Platform super-admin requires FIDO2/WebAuthn MFA, IP allow-listing, and four-eyes approval. JWTs are algorithm-pinned; alg:none is rejected.

LEDGER

Immutable audit ledger

Append-only: accrual, redemption, expiry, void, and refund are all first-class, auditable entries. Balances come from snapshots, never silent mutation.

ISOLATION

Tenancy & residency

Per-tenant isolation; EU residency with DPA + Standard Contractual Clauses (Growth+). PCI scope minimised — no cardholder data on the platform.

OFFBOARD

Clean offboarding

A defined grace period with read-only access and up to three full exports, then cryptographic erasure and a Termination Certificate.

Compliance Status

Where we are — honestly.

We'd rather state exactly what's done than imply a certificate we don't hold.

GDPR by design
Envelope encryption, crypto-erasure, DPA & SCCs
Implemented
SOC 2 Type I
Controls design assessment
In progress
SOC 2 Type II
Operating-effectiveness window
Target Q4 2026
Evidence pack
Pre-certification evidence + pen-test summary
On request

Type I assesses control design at a point in time; Type II assesses operating effectiveness over a window. We're pursuing Type I now and Type II next; the evidence pack bridges the gap for buyers who need diligence material today.

Sub-processors

Who we rely on.

We keep the sub-processor list short and current. Infrastructure runs on Microsoft Azure; the underlying data-centre and platform controls are covered by Azure's own SOC 2 / ISO attestations (carve-out).

Sub-processorPurposeDataRegion
Microsoft Azure — Compute (AKS)Application hosting / orchestrationAll (in transit/processing)US / EU / APAC by tier
Microsoft Azure — SQL DatabasePrimary data store (encrypted)Encrypted PII + ledgerTenant region
Microsoft Azure — Key VaultKey management (KEKs)Encryption keys onlyTenant region
Microsoft Azure — Service BusEvent bus (PII-free)Non-PII event dataTenant region
Microsoft Azure — Blob StorageObject storage / exports (encrypted)Encrypted exportsTenant region

Tenant-configured outbound integrations (e.g. Klaviyo, Segment) and data warehouses are controlled by you and governed by your agreements with those providers; they are not LoyaltyOS sub-processors. The authoritative, versioned register is maintained in our DPA — request the current list.

For Your Security Team

Documents & diligence.

Security & Compliance Overview

A one-page summary of every control, our hosting, and compliance status. Public.

Download overview →

Vendor Security Questionnaire

Pre-answered CAIQ / SIG-lite responses to the questions most security reviews ask.

Download questionnaire →

Pre-certification Evidence Pack

Control evidence and shared pen-test summary, available to prospects under review.

Request access →

DPA & Sub-processor Register

Data Processing Agreement with Standard Contractual Clauses and the current sub-processor list.

View DPA →
Shared Responsibility

Who handles what.

Security is a partnership: we secure the platform, the keys, and the infrastructure; you control your configuration, your access, and what you forward downstream.

We're responsible for

Infrastructure security, encryption and key management, ledger integrity, platform availability and patching, the PII-free event bus, and sub-processor due diligence.

You're responsible for

Your tenant configuration and rule logic, who you grant access to, the security of API keys you issue, and any PII you choose to forward to your own tools.

Report an issue

Found a vulnerability? See security.txt or email security@loyaltyos.example. We respond to good-faith reports.

Security FAQ

Common questions.

Are you SOC 2 certified?
SOC 2 Type I is in progress and Type II is targeted for Q4 2026. We don't claim a certificate we don't hold — but the controls a SOC 2 examines are largely implemented today, and a pre-certification evidence pack (plus a shared pen-test summary) is available to prospects under review.
How do you handle GDPR erasure?
By cryptographic erasure: each customer's PII is encrypted under a unique key, and we destroy the key rather than trying to scrub rows across systems and backups. The data becomes permanently unrecoverable, while the immutable financial ledger stays intact.
Where is our data hosted?
On Microsoft Azure. EU data residency with a DPA and Standard Contractual Clauses is included on Growth and above; region selection (US / EU / APAC) is available by tier.
Is the embeddable widget token safe in the browser?
Yes. A Widget Token is read-mostly and resolved server-side to a single customer — it cannot read another customer's data or change loyalty configuration. The only write it permits is a credit redemption, behind your configured floor and reversal window.
Do you share or sell customer data?
No. Data is processed solely to provide the service. Outbound integrations to your own tools are configured and controlled by you.

Need to run a security review?

Tell us what your auditors need and we'll get you the evidence — including the pre-certification pack — quickly.

Request security details → Start free sandbox