Punchh Security Overview

Security Overview

This document outlines the technical and security controls that Punchh uses to protect Personal Data (as such term is defined in Punchh’s EU Data Protection Addendum (“EU DPA”) or Personal Information (as such term is defined in Punchh’s US Data Processing Addendum (“US DPA”) (collectively herein, the “EU DPA” and the “US DPA” shall be “DPA”), from unauthorized use, access, disclosure, or loss in its provision of its Services. Punchh updates its strategy and tactics as the industry standard practices for security evolve, and therefore reserves the right to update this Security Overview from time to time. This Security Overview does not apply to any alpha, beta, or test offerings of the Services. Collectively herein, “Personal Data” and “Personal Information” shall be “Customer Data”.

This Security Overview is incorporated into and made a part of the DPA.

Security Program

Punchh maintains a formal security policy and program. The Punchh security program includes administrative, organizational, and technical safeguards designed to protect the Services and the confidentiality, integrity, and availability of Customer Data. The Punchh security program is intended to be appropriate to the nature of the Services and the size and complexity of Punchh’s business operations. Punchh staffs a dedicated security team that manages the security program. All security policies and practices are reviewed and approved by the team and by management at least annually and are made available to all Punchh employees and contractors.


Punchh has a broad range of policies and controls in place to maintain the confidentiality of Customer Data. All Punchh employees and contractors are bound by Punchh’s confidentiality and security policies.

People Security

Punchh performs background checks on all new employees in accordance with applicable local laws. Punchh may also conduct criminal, credit, or other checks, depending on the nature and scope of a new employee’s role in accordance with applicable law.

All Punchh employees must complete an annual program of security and privacy training covering Punchh’s security policies, security best practices, common threats, and privacy principles. Punchh has established methods for employees to report security concerns, risky or unethical behavior.

Security Certifications

Punchh holds the following security-related certifications, which are maintained on an annual basis:

Certification:Covered Services:
ISO/IEC 27001Punchh hosted Services
SOC 2 Type IIPunchh hosted Services
PCI DSS Level 4Credit card payments provided to Punchh

Security by Design

Punchh follows security by design principles and uses a security-focused Software Development Lifecycle (SDLC). Punchh performs numerous security-related activities across all phases of the product development process, from requirements gathering though deployment and ongoing management. These security-related activities include architecture and design reviews, code reviews, code scanning, vulnerability scanning, penetration testing, and 24×7 security monitoring.

Data Sovereignty and Data Segregation

Punchh operates multiple multi-tenant geographic instances of the Services within Amazon Web Services (AWS). Customer Data sent to a specific instance is stored only on the instance to which it is sent and is not transferred to other instances except as directed and approved by Customer.

Punchh identifies Customer Data using logical identifiers which mark individual elements of Customer Data with a unique ID assigned to each Customer to clearly identify ownership. The Punchh Application Programming Interfaces (“APIs”) are built to restrict access according to these identifiers.

Access Controls

Punchh utilizes the principle of least privilege when provisioning access to Customer Data stored on each server. Punchh employees and contractors are authorized to access Customer Data based on their job role and the specific Customer(s) they support. Access rights are reviewed at least annually or when an employee’s job role changes. Punchh uses security tools to identify deviations from internal policies that could indicate anomalous/unauthorized activity.

Change Management

Punchh has a formal change management policy and processes that are used to control changes to the production environment, including any changes to its underlying software, applications, and systems. Each change is reviewed and evaluated in a test environment before being deployed to the production environment. Changes are reviewed for their security impact prior to deployment, and all changes are documented using an auditable system of record.


Customer Data may be stored in AWS S3 or in one or more relational databases. Customer Data stored in AWS S3 is encrypted using the industry standard encryption practices. We evaluate new encryption practices on a regular basis and update the Services as necessary.

Vulnerability Management

Punchh maintains controls and policies to mitigate the risk of security vulnerabilities. Punchh regularly scans its systems to proactively look for vulnerabilities, and we engage third parties to additionally review and audit our systems. Critical software patches are evaluated, tested, and applied proactively. Operating system patches are applied through the creation of a base virtual-machine image and deployed to all nodes in the Punchh cluster on a defined schedule. For patches to address high priority risks, Punchh may deploy directly to existing servers.

Penetration Testing

Punchh performs internal and third-party vulnerability scans, and penetration testing. Security threats and vulnerabilities are evaluated, prioritized, and remediated promptly. Punchh pre-allocates a significant percentage of its development bandwidth to the ongoing process of maintaining the security of the Services.

Security Incident Management

Punchh maintains a formal security incident management policy. Punchh utilizes third-party tools to detect, mitigate, and prevent distributed denial of service (DDoS) attacks.

Reliability, Resilience, and Service Continuity

The Punchh Services are architected for high reliability. The Services are hosted on distributed infrastructure provided by AWS, and all systems have been designed to continue operating even when multiple AWS servers fail. Wherever possible, servers and data are distributed across at least three AWS availability time zones.

Servers are clustered and elastically scalable. If Punchh detects a problem with a specific server or servers, we can dynamically add capacity, move servers to a different region, or do both to maintain uptime and capacity.

In the case of a catastrophic failure, Punchh can programmatically rebuild the servers in a matter of hours and restore Customer Data from the most recent backup with minimal or no data loss.

Backups and Recovery

Punchh performs regular backups of Customer Data and stores the encrypted backup data on AWS’ infrastructure. Where possible, backup data is stored redundantly across multiple availability zones.

Third Party Sub-Processors

Punchh may use third-party sub-processors to assist in the delivery of the Services. Punchh performs a security review of all prospective sub-processors to validate they meet Punchh’s security requirements and re-assesses sub-processors periodically or as their access to Customer Data changes. Punchh enters into written agreements with its sub-processors, which include confidentiality, privacy and security obligations that provide a similar level of protection for Customer Data as outlined in this Security Overview.