Security & Compliance
Your customers' data and your business data are protected at every layer. Here's exactly how we keep Loyaltify secure.
TLS 1.3
All traffic encrypted in transit
AES-256
Data encrypted at rest
GDPR
Data processing agreements available
CCPA
California consumer rights supported
LFPDPPP
Mexican data privacy compliant
99.96% Uptime
SLA guaranteed
Data Encryption
All data is encrypted at rest using AES-256 and in transit via TLS 1.3. API keys and secrets are hashed and never stored in plaintext.
Access Control
Role-based access control (RBAC) across all user tiers — super admin, business admin, manager, and staff. Principle of least privilege enforced throughout.
Audit Logging
Every write action — stamp, redemption, settings change — is logged with user identity, timestamp, and IP. Audit logs are tamper-evident and retained for 12 months.
Infrastructure
Hosted on enterprise-grade cloud infrastructure with isolated environments for production and staging. Daily automated backups with point-in-time restore.
Vulnerability Management
Continuous dependency scanning, automated SAST/DAST pipelines, and a responsible disclosure program for external researchers.
Compliance
Loyaltify is designed to comply with GDPR, CCPA, and Mexican data privacy laws (LFPDPPP). Data processing agreements (DPAs) available on request.
Security FAQ
Where is my data stored?
Customer data is stored in secure, redundant data centers in North America. You can request data residency options for specific compliance requirements.
Can I delete my data?
Yes. You can export or delete all business and customer data at any time from the dashboard settings. On account termination, all data is deleted within 30 days.
How do you handle security vulnerabilities?
We operate a responsible disclosure policy. If you discover a vulnerability, please contact security@loyaltify.com.mx. We aim to acknowledge reports within 24 hours.
Is Loyaltify PCI compliant?
Loyaltify does not store, process, or transmit cardholder data. Payment processing is handled entirely by Stripe, which is PCI DSS Level 1 certified.
Report a vulnerability
We operate a responsible disclosure programme. If you find a security issue in Loyaltify, please email us. We commit to acknowledging your report within 24 hours and providing updates throughout the investigation.