Privacy and audit integrity aren't bolted on at the end — they're how the platform is built. Below are the controls implemented today, our honest compliance status, our sub-processors, and the documents your security team needs.
Per-customer AES-256 data keys, each wrapped by a per-tenant key-encryption-key in Azure Key Vault. No two tenants share a key blast radius.
GDPR right-to-erasure by destroying the key, not chasing rows. PII becomes irrecoverable while the immutable ledger stays intact.
No personal data in event payloads — enforced by a schema-registry CI gate. Email identity uses HMAC-SHA256 hashing.
Mutual TLS between all services via the mesh; TLS for every external API. Authenticated and encrypted by default.
API keys and Widget Tokens hashed with Argon2id. Webhooks signed with timestamp-bound HMAC-SHA256, with SSRF protection and RFC-1918 blocking.
Platform super-admin requires FIDO2/WebAuthn MFA, IP allow-listing, and four-eyes approval. JWTs are algorithm-pinned; alg:none is rejected.
Append-only: accrual, redemption, expiry, void, and refund are all first-class, auditable entries. Balances come from snapshots, never silent mutation.
Per-tenant isolation; EU residency with DPA + Standard Contractual Clauses (Growth+). PCI scope minimised — no cardholder data on the platform.
A defined grace period with read-only access and up to three full exports, then cryptographic erasure and a Termination Certificate.
We'd rather state exactly what's done than imply a certificate we don't hold.
Type I assesses control design at a point in time; Type II assesses operating effectiveness over a window. We're pursuing Type I now and Type II next; the evidence pack bridges the gap for buyers who need diligence material today.
We keep the sub-processor list short and current. Infrastructure runs on Microsoft Azure; the underlying data-centre and platform controls are covered by Azure's own SOC 2 / ISO attestations (carve-out).
| Sub-processor | Purpose | Data | Region |
|---|---|---|---|
| Microsoft Azure — Compute (AKS) | Application hosting / orchestration | All (in transit/processing) | US / EU / APAC by tier |
| Microsoft Azure — SQL Database | Primary data store (encrypted) | Encrypted PII + ledger | Tenant region |
| Microsoft Azure — Key Vault | Key management (KEKs) | Encryption keys only | Tenant region |
| Microsoft Azure — Service Bus | Event bus (PII-free) | Non-PII event data | Tenant region |
| Microsoft Azure — Blob Storage | Object storage / exports (encrypted) | Encrypted exports | Tenant region |
Tenant-configured outbound integrations (e.g. Klaviyo, Segment) and data warehouses are controlled by you and governed by your agreements with those providers; they are not LoyaltyOS sub-processors. The authoritative, versioned register is maintained in our DPA — request the current list.
A one-page summary of every control, our hosting, and compliance status. Public.
Download overview →Pre-answered CAIQ / SIG-lite responses to the questions most security reviews ask.
Download questionnaire →Control evidence and shared pen-test summary, available to prospects under review.
Request access →Data Processing Agreement with Standard Contractual Clauses and the current sub-processor list.
View DPA →Security is a partnership: we secure the platform, the keys, and the infrastructure; you control your configuration, your access, and what you forward downstream.
Infrastructure security, encryption and key management, ledger integrity, platform availability and patching, the PII-free event bus, and sub-processor due diligence.
Your tenant configuration and rule logic, who you grant access to, the security of API keys you issue, and any PII you choose to forward to your own tools.
Found a vulnerability? See security.txt or email security@loyaltyos.example. We respond to good-faith reports.
Tell us what your auditors need and we'll get you the evidence — including the pre-certification pack — quickly.