Contact Us
← Back to Policies Trust Center · Policy

Data Security

At Loyalty Juggernaut Inc. (LJI), the security of Client Data is of paramount importance. We strive to implement industry-standard security policies and programs that involve comprehensive audits of the applications, systems, and networks and training of all personnel in best-in-class security practices.

Security Compliance Certifications

LJI complies with SSAE 18 - SOC 2 Type 2 standards and is ISO/IEC 27001:2013 certified, which are some of the most broadly recognized security standards.

LJI has a dedicated Security Team that uses industry-standard practices and frameworks to keep Client Data safe. The security approach focuses on governance, risk management, and compliance. It includes encryption at rest and in transit, network security, administrative access control, system monitoring, logging and alerting, and more.

LJI undertakes a robust set of security and data protection measures that provide Clients the required control, visibility, and flexibility needed to manage various security challenges without compromising agility.

Cloud Security Compliance Measures

Access Control of Processing Areas

LJI hosts GRAVTY on Amazon Web Services (AWS) cloud platform. No LJI employee has access to the applicable physical environments. AWS has implemented Data Controls towards preventing unauthorized access to the Data Processing equipment, namely the database and application servers, and related hardware, where Client Data are processed. Please refer to the specific measures employed by AWS towards access control at aws.amazon.com.

Availability Control

LJI protects Client Data from accidental destruction or loss. To accomplish this, we store the backup of production data in multiple Availability Zones (Data Centers) to restore in case of failure of the primary system. LJI also deploys redundant infrastructure to run GRAVTY in multiple Availability Zones to honor the high standards of Service Level Availability committed to our Clients. At LJI, we also employ business continuity and disaster recovery procedures to ensure business-as-usual LJI Services.

Network Security Compliance Measures

LJI uses multilayer enterprise-class network software including router, firewall, and encryption technologies to protect against and to detect common network attacks on public gateways used for data transmission. This includes preventing Client Data from being read, copied, altered, or deleted by unauthorized parties during the transmission.

Protection

To ensure thorough protection of LJI's network, we use essential AWS Security Services, regular audits, and network intelligence technologies, which monitor and/or block malicious traffic and network attacks.

Architecture

At LJI, we employ multiple security zones in our network security architecture. We house specific sensitive components, like database servers, in our most trusted zones for the highest protection. We house other systems in zones corresponding to their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls apply.

Network Vulnerability Scanning

LJI implements regular network security scanning for quick identification of out-of-compliance or potentially vulnerable systems.

Third-Party Penetration Tests

LJI engages with third-party security experts to perform broad penetration tests across GRAVTY® for major releases.

Encryption

Encryption in Transit

To secure the Client Data during transmission, LJI encrypts the information using world-class encryption standards such as TLS1.2+, SFTP.

Encryption at Rest

To secure the Client Data at rest, LJI stores the data using world-class encryption standards such as AES-256 key encryption thereby, securing the data against all brute force attacks.

Availability and Continuity

Uptime

LJI has designed GRAVTY® for High Availability. It runs in at least two Availability Zones (two physically different Data Centers) for each Client. This helps ensure continued service to the Clients without disruption even when a Data Center is unavailable.

DR Recovery

LJI Services are DR-ready for Availability Zones (AZ) failures. The services across multiple AZs (or Data Centers) can withstand a component-level failure in a single AZ by automatically switching to another AZ. This protects LJI Services against incidents in a single AZ, enabling zero minutes of Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

In an unlikely event of multiple AZs going down simultaneously requiring manual DR, LJI delivers an RTO of 12 hours and RPO of 30 minutes.

Data Security Compliance Measures

Input Control

LJI maintains suitable measures to establish whether and by whom Personal Data has been input into GRAVTY® or removed. This is accomplished by:

  • Following the Principle of Least Privilege (POLP) for the authorization policy
  • Authentication of the authorized personnel including individual authentication credentials such as user IDs that, once assigned, cannot be reassigned to another person
  • Utilization of industry-standard authentication systems including implementation of strict password policy organization-wide
  • Automatic log-off of Idle Users from relevant applications and/or workstations
  • By deactivating and deleting User Accounts
  • Deactivation of user authentication credentials in case a User is disqualified from accessing Personal Data or in case of non-use for a certain period of time
  • Establishing proof within LJI's organization of the input authorization
  • Electronic recording of entries

Transmission Control

LJI maintains suitable measures to prevent Personal Data from being read, copied, altered, or deleted by unauthorized parties during the transmission thereof. This is accomplished by:

  • Using industry-standard firewall and encryption technologies
  • Logging and monitoring all data transmissions
  • Monitoring of the completeness and correctness of the transfer of data (end-to-end check)

Separating Data Processing by Purpose

LJI maintains suitable measures to make sure that any data collected for different purposes must be processed separately. This is accomplished by:

  • Separating access to the appropriate users through application security controls
  • Storing the data of different LJI Clients separately

Access Control to Data Processing Systems

LJI restricts access to Client Data to only those users who have the required authorization. LJI prevents any access to Client Data and Data Processing systems from unauthorized Users by:

  • Ensuring that access to GRAVTY® is limited to only those individuals requiring access to LJI Services
  • Ensuring robust authentication processes
  • Using an automatic session time-out which requires identification and password to start a new session
  • Automatically logging of events, and monitoring unauthorized access attempts
  • Logging all user access to Client Data

Application Security

Framework Security Controls

LJI leverages industry-standard secure open-source frameworks with security controls to limit exposure to risks mentioned in OWASP Top 10 Security Risks, SANS 25, NIST, among others.

Quality Checks, Scans, and Assurances

LJI software development life cycle includes a controlled source code management system, peer review, and testing against common vulnerabilities (e.g., the Common Vulnerability Scoring System database and OWASP Top 10 list). LJI also leverages static & dynamic application security testing. LJI also utilizes third-party application security companies for VAPT audits.

Separate Environments

LJI uses a multi-account strategy to ensure complete security and isolation of the production environment from testing and staging environments.

Human Resource Security Compliance Measures

LJI Workstation Security

LJI secures employees' workstations that access Client Data using industry-standard technology and practices (e.g., firewalls, disk encryption, inactivity timeouts/system locks, and asset tracking, anti-malware). LJI does not store Client Data on endpoint computers or any external storage media that do not deploy full encryption.

Training

LJI ensures that all employees, agents, and sub-contractors receive adequate and regular training (including but not limited to compliance, security, and privacy training) and keeps track of the records of such training.

Employee Vetting

LJI carries out thorough background checks on all new employees as per the local laws. These checks include criminal, education, and employment verification. All new LJI hires are required to sign Non-Disclosure and Confidentiality agreements, making them contractually obliged to adhere to the Security and Data Privacy compliances mentioned in this Policy.