Punchh Security Overview

We protect your data.

All data is written to multiple disks instantly, backed up daily, and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure.

Your data is sent using HTTPS

Whenever your data is in transit between you and us, everything is encrypted, and sent using HTTPS. Any files which you upload to us are stored and are encrypted at rest. Project data, messages, text documents and todos aren’t encrypted at rest — they are active in our database.

Secure Practices

We also allow use of 2FA as a security measure when accessing our Punchh accounts. Enabling 2FA adds security to your account by requiring both your password as well as access to a security code on your phone to access your account.

We use GitHub to deploy our source code using recently introduced signed commits, along with 2FA which has been mandatory for everyone working on the Punchh development team.

We have a team of dedicated specialists at Punchh to keep our software and its dependencies up to date eliminating potential security vulnerabilities or threats to the system.

Full redundancy for all major systems.

We use Amazon Web Services (AWS) for our infrastructure. Our database is hosted by AWS’s RDS which has been hosted over 3 Availability Zones (AZ). All over systems have been engineered to stay even when the multiple servers fail. We have employed the Load based server which automatically scale up or down depending on the incoming traffic.

Regularly-updated infrastructure and Frameworks.

We take stride in keeping ourselves up to date with the top of line hardware and software. We explore and use one of the best hardware and services offered by the AWS. We use Ruby on Rails stack with Redis and Sidekiq as the background job processor. We make sure we regularly upgrade to the latest versions of the underlying gems and libraries we use in our application.

We protect your billing information.

All credit card transactions are processed using secure encryption and are handled via our tie ups a third party payment solution providers. We do not store any of your card information on our servers. They are handled by the independent PCI-Compliant networks.

Vulnerability Reporting

For security inquiries or vulnerability reports, we use Hackerone. Please submit a vulnerability report on hackerone. We’ll get back to you as soon as we can, usually within 24 hours.

Submit Vulnerability Report