RewardLion Security and Compliance

4.1.1 Cloud Hosting Provider:

Ensuring the security of entrusted data lies at the heart of RewardLion's operations, manifesting in the deployment of robust security controls across administrative, technical, and physical spheres. We entrust the integrity of our infrastructure to industry-leading cloud providers, including Google Cloud Platform Services and Amazon Web Services (AWS), demonstrating our unwavering commitment to data protection. 

Google and AWS maintain audited security and compliance programs, affirming the effectiveness of their physical, environmental, and infrastructure security controls. Google pledges a minimum monthly uptime percentage of 99.5%, providing transparent insights into controls, processes, and compliance measures through its Compliance Resource Center. Similarly, AWS assures service reliability between 99.95% and 100%, supported by independently validated business continuity and disaster recovery plans detailed in their SOC 2 Type 2 report and ISO 27001 certification. AWS's compliance documentation and audit reports are accessible via the AWS Cloud Compliance Page and the AWS Artifacts Portal.

4.1.2 Network and Perimeter Security:

RewardLion's product infrastructure employs sophisticated layered filtering and inspection mechanisms across web application connections, logical firewalls, and security groups to enforce stringent access controls. Network-level access control lists and default firewall configurations ensure unauthorized access is prevented, with periodic reviews to ensure only essential connections are permitted, all adhering to standard change control processes.

4.1.3 Configuration Management:

Automation drives RewardLion's infrastructure, enabling scalability and responsiveness to customer demands. Our highly automated environment embeds server configurations within images and configuration files, managed through a controlled change pipeline. From provisioning to deprovisioning, server instances undergo meticulous control, promptly identifying and rectifying deviations from configuration baselines. Patch management is conducted through automated configuration tools, maintaining compliance with expected baselines.

4.1.4 Logging:

Every action and event within the RewardLion application is meticulously logged, indexed, and stored in a centralized solution within our cloud environment. Security-relevant logs undergo retention based on data nature, with limited access to storage services granted exclusively to authorized personnel.

Through these steadfast measures, RewardLion upholds the integrity, availability, and security of our infrastructure, instilling trust and confidence among our valued clients and stakeholders.

4.1.5 Alerting and Monitoring

The RewardLion product infrastructure is equipped with sophisticated instrumentation, promptly alerting engineers and administrators to anomalies. Automatic responses or alerts are triggered for error rates, abuse scenarios, application attacks, and other irregularities, facilitating swift response, investigation, and correction. Automated triggers respond immediately to anomalous situations, implementing actions such as traffic throttling and process termination at predefined thresholds.

RewardLion adheres to stringent protocols for safeguarding customer data, implementing robust measures for data classification, tenant separation, and encryption.

4.3.1 Data Classification

Customers are required to ensure that the data captured aligns with their marketing, sales, services, and operational processes, as outlined in RewardLion's Terms of Service. The platform should not be used to collect or store sensitive information such as financial details or personal identifiers unless permitted otherwise.

4.3.2 Tenant Separation

RewardLion operates on a multi-tenant SaaS model, logically segregating customer data using unique IDs. Authorization rules are integrated into the architecture, continuously validated to maintain data integrity. The platform logs authentication, application availability, and user access and changes for transparency and accountability.

4.3.3 Encryption

All data transmitted within the RewardLion platform is encrypted using TLS version 1.2 or 1.3 with 2,048-bit keys or higher. TLS is the default for customers hosting their websites on the platform. Stored data is encrypted using AES-256 encryption, with user passwords hashed and encrypted according to industry standards.

4.3.4 Key Management

Encryption keys for both in-transit and at-rest encryption are securely managed by RewardLion. TLS private keys for in-transit encryption are handled through a trusted content delivery partner, while volume and field-level encryption keys for at-rest encryption are stored in a hardened Key Management System (KMS). Keys undergo regular rotation based on data sensitivity, with TLS certificates renewed annually. 

Through these measures, RewardLion ensures the confidentiality, integrity, and availability of customer data, maintaining the highest standards of security and compliance.

4.4.1 RewardLion prioritizes minimizing system downtime and ensuring seamless operations even in adverse circumstances.

To achieve this goal:

1. Redundancy and Distribution: All RewardLion product services are designed with redundancy in mind. Server infrastructure is strategically distributed across multiple distinct availability zones and virtual private cloud networks within our infrastructure providers. This distributed setup enhances resilience and minimizes the impact of potential failures.
2. Point-in-Time Recovery: Web, application, and database components are deployed with point-in-time recovery mechanisms. This allows us to restore systems to specific points in time, ensuring data integrity and continuity of service in the event of unforeseen incidents.

4.4.2 Backups Strategy:

a. System Backup:

Regular backups are conducted according to predefined schedules and frequencies. We retain seven days' worth of backups for each database, facilitating seamless restoration when needed. The backup process is actively monitored to ensure successful execution, with alerts triggered for any exceptions. In the event of failures, alerts are escalated, investigated, and addressed promptly. Data is backed up daily to the local region, and we maintain monitoring and alerting mechanisms for replication failures, which are promptly addressed and managed. 

b. Physical Backup Storage:

As RewardLion leverages public cloud services for hosting, backup, and recovery, it does not incorporate physical infrastructure or storage media within its products. Additionally, RewardLion typically does not utilize other forms of hard copy media, such as paper or tape, in delivering its products to customers.

c. Backup Protection:

By default, all backups within RewardLion are safeguarded through access control restrictions and write once read many (WORM) protections on its product infrastructure networks. Additionally, access control lists are implemented on the file systems that store the backup files, enhancing their security measures.

d. Data Backup Restoration:

RewardLion customers do not possess access to the product infrastructure in a manner that permits customer-driven failover events. Disaster recovery and resiliency operations are overseen by RewardLion product engineering teams. In certain instances, customers can utilize the recycle bin to directly recover and restore various elements such as contacts, opportunities, custom fields, custom values, tags, notes, and tasks within 30 days of deletion. Changes made to web pages, blog posts, or emails can be reverted to previous versions using version history. For customers desiring additional data backup, the RewardLion platform offers numerous methods to ensure data availability. Export options are embedded within many features of the RewardLion portal, and the RewardLion library of public APIs allows for data synchronization with other systems.

4.4.3 Identity and Access Control

a. Product User Management

RewardLion's products offer finely tuned authorization settings, providing customers with the ability to craft and oversee users within their portals. They can designate suitable privileges and regulate access according to their specific needs and preferences.

b. Product Login Protection

RewardLion's products enable users to access their accounts through the native RewardLion login system. This login method enforces a standardized password policy, mandating a minimum of 8 characters with a mix of uppercase and lowercase letters, special characters, and numbers. Users utilizing RewardLion's native login cannot alter the default password policy. Moreover, customers employing RewardLion's built-in login benefit from two-factor authentication for added security. Portal administrators have the option to mandate two-factor authentication for all users.

c. RewardLion Employees Access to Data

• Access to Production Infrastructure

Access to Production Infrastructure User access to internal data stores and production infrastructure is strictly controlled. HighLevel employees are granted access using a role-based access control (RBAC) model. Day-to-day access is minimized to members of the Engineering team and persistent administrative access is restricted. Additionally, direct network connections to product infrastructure devices over SSH or similar protocols is prohibited, and engineers are required to authenticate first through a bastion host or "jump box" or have assigned IAM role to the resource before accessing server environments.

• Access to Customer’s Portals

By default, certain personnel such as Customer Support and Services teams have limited access to specific sections of your RewardLion account to assist you with utilizing the platform effectively. Additionally, RewardLion employs a Just-In-Time Access (JITA) model to grant employees temporary access to a customer's portal for a restricted period (Portal JITA). Each Portal JITA request is meticulously logged, and access is restricted to a designated customer's portal for a maximum duration of 24 hours. To further enhance security, RewardLion employs risk-based monitoring to identify any unusual activity related to Portal JITA.

When utilizing Portal JITA to access a portal, RewardLion staff members are unable to perform high-risk actions such as:

• Altering domain or Single Sign-On (SSO) settings
• Exporting users or contacts
• Viewing, creating, deleting, or rotating private application keys
• Importing data into the CRM
• Deleting contacts, companies, deals, or tickets

All user logins, RewardLion employee access, security-related activities, and content interactions are diligently logged for monitoring and audit purposes.

d. Corporate Authentication and Authorization

Access to the RewardLion company network is secured with Multi-Factor Authentication (MFA), ensuring an additional layer of protection beyond passwords. Our password policies adhere to industry best practices concerning required length, complexity, and rotation frequency. Certain administrative account passwords are managed using password vaults, and access to these vaults is carefully controlled through Role-Based Access Control or the Just-In-Time Access (JITA) process. We have developed an extensive support system to streamline and automate our security management and compliance activities. 

In addition to numerous other responsibilities, we meticulously manage permission grants, oversee employee events, ensure timely access revocations, maintain comprehensive change logs, and preserve compliance evidence. Employee access and permissions to critical internal systems undergo manual review semi-annually to confirm that granted access aligns with job functions.

4.4.4 Corporate Security  a. Background Checks

a. Background Checks

RewardLion employees undergo a third-party background check before receiving formal employment offers. Reference verification is conducted at the discretion of the hiring manager. Upon joining the company, all employees are required to review and acknowledge RewardLion's Employee Handbook and Code of Conduct. These documents outline employees' security responsibilities in safeguarding company assets and data.

b. Policy Management

In order to ensure uniformity among employees in protecting data, RewardLion documents and maintains written policies and procedures. Specifically, RewardLion upholds a core Written Information Security Policy covering various topics including data handling requirements, privacy considerations, and disciplinary actions for policy violations. These policies undergo annual review and approval to ensure relevance and compliance.

c. Security Training

RewardLion mandates CyberSafety training for all new employees upon commencement of their employment. Additionally, this training is made available annually to ensure continuous awareness and education. The curriculum includes modules on phishing awareness and other pertinent cybersecurity topics.

d. Vendor Management

RewardLion collaborates with third-party service providers to facilitate product development and internal operations. To uphold security and privacy standards, we enforce stringent requirements within our contractual agreements with these vendors. Additionally, we maintain an up-to-date list of our sub-processors, subject to periodic revisions, as outlined in our Data Processing Agreement.

e. Endpoint Protection

RewardLion centrally manages company-issued laptops, which are configured to maintain full disk encryption. Additionally, we employ a Mobile Device Management solution, offering IT administrators a centralized platform to oversee and regulate mobile devices within the organization. This includes configuring device settings, enforcing security policies, deploying applications, and ensuring adherence to corporate standards.

4.4.5 Compliance

For comprehensive insights into how data is processed and the underlying purposes, we encourage reviewing our Terms of Service and Privacy Policy. It's important to note that while RewardLion customers have the option to settle payments using credit cards, we do not retain, process, or gather credit card details provided by customers. Additionally, RewardLion is not PCI-DSS compliant. To ensure secure payment transactions, we partner with PCI-compliant payment card processors.

4.4.6 Privacy

In adherence to our Privacy Policy, we uphold a firm commitment not to trade or sell your personal data to any third parties. Our stringent safeguards, detailed in this document and throughout our operations, are purposefully designed to uphold the confidentiality and integrity of your information.

a. Data Retention Policy

At RewardLion, your data is securely stored as long as you're an active customer. Upon account closure, you can request specific data deletion, which we promptly process in compliance with privacy laws. While we retain certain data for security and legal purposes, we ensure its protection and limit retention to essential needs. We do not currently offer customized data retention options, but we regularly update our policies to meet evolving privacy standards

b. Privacy Program Oversight:

At RewardLion, our Legal Team works closely with our engineering and product development units to uphold a robust privacy program. Detailed information regarding our dedication to safeguarding your data is outlined in our Privacy Policy and Data Processing Agreement

c. Breach Notification:

RewardLion adheres to legal requirements concerning data breaches and will promptly notify customers in the event of any breach affecting their personal data.

4.4.7 GDPR Compliance

RewardLion endeavors to offer functionalities that assist customers in meeting and upholding their GDPR compliance obligations. Kindly consult our GDPR page for further details. It's important to note that utilizing the RewardLion product alone does not guarantee GDPR compliance.

4.4.8 This Document

This document serves as a reference for our customers and is not designed to establish a binding contractual agreement between RewardLion and any parties, nor does it modify existing agreements between the parties. RewardLion is consistently enhancing the safeguards we have in place; therefore, our procedures may undergo changes over time.

4.4.9 Contact Us

RewardLion welcomes your questions or comments regarding this document. If you have any inquiry or request, please contact us through:

Global Digital Business Solution

• 333 Las Olas Way # Cu-1, suit 1 Fort Lauderdale, Florida 33301
• Email Address: [email protected]
• Telephone number: 1(800)-876-8984
• Updated as of February 2024