Punchh Security Overview
Security Overview
This document outlines the technical and security controls that Punchh uses to protect Personal Data (as such term is defined in Punchh’s EU Data Protection Addendum (“EU DPA”) or Personal Information (as such term is defined in Punchh’s US Data Processing Addendum (“US DPA”) (collectively herein, the “EU DPA” and the “US DPA” shall be “DPA”), from unauthorized use, access, disclosure, or loss in its provision of its Services. Punchh updates its strategy and tactics as the industry standard practices for security evolve, and therefore reserves the right to update this Security Overview from time to time. This Security Overview does not apply to any alpha, beta, or test offerings of the Services. Collectively herein, “Personal Data” and “Personal Information” shall be “Customer Data”.
This Security Overview is incorporated into and made a part of the DPA.
Security Program
Punchh maintains a formal security policy and program. The Punchh security program includes administrative, organizational, and technical safeguards designed to protect the Services and the confidentiality, integrity, and availability of Customer Data. The Punchh security program is intended to be appropriate to the nature of the Services and the size and complexity of Punchh’s business operations. Punchh staffs a dedicated security team that manages the security program. All security policies and practices are reviewed and approved by the team and by management at least annually and are made available to all Punchh employees and contractors.
Confidentiality
Punchh has a broad range of policies and controls in place to maintain the confidentiality of Customer Data. All Punchh employees and contractors are bound by Punchh’s confidentiality and security policies.
People Security
Punchh performs background checks on all new employees in accordance with applicable local laws. Punchh may also conduct criminal, credit, or other checks, depending on the nature and scope of a new employee’s role in accordance with applicable law.
All Punchh employees must complete an annual program of security and privacy training covering Punchh’s security policies, security best practices, common threats, and privacy principles. Punchh has established methods for employees to report security concerns, risky or unethical behavior.
Security Certifications
Punchh holds the following security-related certifications, which are maintained on an annual basis:
| Certification: | Covered Services: |
|---|---|
| ISO/IEC 27001 | Punchh hosted Services |
| SOC 2 Type II | Punchh hosted Services |
| PCI DSS Level 4 | Credit card payments provided to Punchh |
Security by Design
Punchh follows security by design principles and uses a security-focused Software Development Lifecycle (SDLC). Punchh performs numerous security-related activities across all phases of the product development process, from requirements gathering though deployment and ongoing management. These security-related activities include architecture and design reviews, code reviews, code scanning, vulnerability scanning, penetration testing, and 24×7 security monitoring.
Data Sovereignty and Data Segregation
Punchh operates multiple multi-tenant geographic instances of the Services within Amazon Web Services (AWS). Customer Data sent to a specific instance is stored only on the instance to which it is sent and is not transferred to other instances except as directed and approved by Customer.
Punchh identifies Customer Data using logical identifiers which mark individual elements of Customer Data with a unique ID assigned to each Customer to clearly identify ownership. The Punchh Application Programming Interfaces (“APIs”) are built to restrict access according to these identifiers.
Access Controls
Punchh utilizes the principle of least privilege when provisioning access to Customer Data stored on each server. Punchh employees and contractors are authorized to access Customer Data based on their job role and the specific Customer(s) they support. Access rights are reviewed at least annually or when an employee’s job role changes. Punchh uses security tools to identify deviations from internal policies that could indicate anomalous/unauthorized activity.
Change Management
Punchh has a formal change management policy and processes that are used to control changes to the production environment, including any changes to its underlying software, applications, and systems. Each change is reviewed and evaluated in a test environment before being deployed to the production environment. Changes are reviewed for their security impact prior to deployment, and all changes are documented using an auditable system of record.
Encryption
Customer Data may be stored in AWS S3 or in one or more relational databases. Customer Data stored in AWS S3 is encrypted using the industry standard encryption practices. We evaluate new encryption practices on a regular basis and update the Services as necessary.
Vulnerability Management
Punchh maintains controls and policies to mitigate the risk of security vulnerabilities. Punchh regularly scans its systems to proactively look for vulnerabilities, and we engage third parties to additionally review and audit our systems. Critical software patches are evaluated, tested, and applied proactively. Operating system patches are applied through the creation of a base virtual-machine image and deployed to all nodes in the Punchh cluster on a defined schedule. For patches to address high priority risks, Punchh may deploy directly to existing servers.
Penetration Testing
Punchh performs internal and third-party vulnerability scans, and penetration testing. Security threats and vulnerabilities are evaluated, prioritized, and remediated promptly. Punchh pre-allocates a significant percentage of its development bandwidth to the ongoing process of maintaining the security of the Services.
Security Incident Management
Punchh maintains a formal security incident management policy. Punchh utilizes third-party tools to detect, mitigate, and prevent distributed denial of service (DDoS) attacks.
Reliability, Resilience, and Service Continuity
The Punchh Services are architected for high reliability. The Services are hosted on distributed infrastructure provided by AWS, and all systems have been designed to continue operating even when multiple AWS servers fail. Wherever possible, servers and data are distributed across at least three AWS availability time zones.
Servers are clustered and elastically scalable. If Punchh detects a problem with a specific server or servers, we can dynamically add capacity, move servers to a different region, or do both to maintain uptime and capacity.
In the case of a catastrophic failure, Punchh can programmatically rebuild the servers in a matter of hours and restore Customer Data from the most recent backup with minimal or no data loss.
Backups and Recovery
Punchh performs regular backups of Customer Data and stores the encrypted backup data on AWS’ infrastructure. Where possible, backup data is stored redundantly across multiple availability zones.
Third Party Sub-Processors
Punchh may use third-party sub-processors to assist in the delivery of the Services. Punchh performs a security review of all prospective sub-processors to validate they meet Punchh’s security requirements and re-assesses sub-processors periodically or as their access to Customer Data changes. Punchh enters into written agreements with its sub-processors, which include confidentiality, privacy and security obligations that provide a similar level of protection for Customer Data as outlined in this Security Overview.