RewardLion Security and Compliance
1. Introduction
Crafted to address the diverse needs of industries and businesses, RewardLion is devoted to delivering holistic business solutions to firms spanning various sectors. Our core mission is to equip organizations with the essential tools to optimize operations, bolster communication, and foster sustainable growth.
Since its establishment, RewardLion has experienced remarkable growth, playing a pivotal role in advancing the technology and SaaS landscapes. At the heart of our achievements lies an unwavering commitment to our clients' success. We place utmost importance on comprehending their unique challenges and evolving needs, enabling us to continuously refine and elevate our offerings.
Powered by AI technology, our platform offers an array of integrated solutions, encompassing sales, marketing, and CRM functionalities meticulously crafted to streamline operations and enhance productivity across businesses of all sizes and sectors. With RewardLion, companies benefit from the adaptability to tailor the platform to suit their specific requirements, empowering them to realize their business objectives and efficiently scale their operations.
2.Security and Risk Focus
At RewardLion, the protection of our customers' data stands as our topmost priority. We have established a robust security framework meticulously crafted to safeguard sensitive information and mitigate potential risks effectively.
Our primary objective revolves around fostering trust and confidence among our clientele. To achieve this, RewardLion has made substantial investments in developing dedicated corporate, product, and infrastructure security programs. These initiatives are rigorously overseen by our Legal Team in collaboration with other departments, ensuring comprehensive coverage and strict adherence to industry standards.
Guided by the best practices prevalent in the SaaS industry, our security framework is anchored by the following key principles:
- Customer Trust and Protection: Upholding the sanctity of customer data and privacy remains paramount. We implement stringent measures to thwart unauthorized access and misuse, thereby fortifying customer trust.
- Availability and Continuity of Service: Ensuring seamless access to our services is of utmost importance. We deploy robust mechanisms to sustain service availability and resilience, mitigating the risks of disruptions.
- Information and Service Integrity: We staunchly uphold the integrity of both customer information and the services we provide. Our systems are engineered to prevent data tampering and unauthorized alterations, thus preserving data integrity at all times.
- Compliance with Standards: RewardLion remains steadfast in its commitment to adhering to industry standards and regulatory requisites. We vigilantly monitor regulatory changes and update our security protocols accordingly, ensuring continued compliance.
3. Security and Compliance Objectives
At RewardLion, our paramount objectives in security and compliance are twofold: first, to deliver unparalleled products and services while staunchly safeguarding the privacy and confidentiality of data; and second, to ensure seamless service availability while mitigating risks to continuity. Moreover, we are steadfast in our commitment to preserving the integrity of customer information, ensuring it remains uncorrupted and unaltered. Our overarching aim is not only to comply with but also to exceed industry standard best practices in all facets of security and compliance.
4- This DPA, Amendments, and Annexes
4.1 RewardLion Infrastructure Security Overview
4.1.1 Cloud Hosting Provider:
Ensuring the security of entrusted data lies at the heart of RewardLion's operations, manifesting in the deployment of robust security controls across administrative, technical, and physical spheres. We entrust the integrity of our infrastructure to industry-leading cloud providers, including Google Cloud Platform Services and Amazon Web Services (AWS), demonstrating our unwavering commitment to data protection.
Google and AWS maintain audited security and compliance programs, affirming the effectiveness of their physical, environmental, and infrastructure security controls. Google pledges a minimum monthly uptime percentage of 99.5%, providing transparent insights into controls, processes, and compliance measures through its Compliance Resource Center. Similarly, AWS assures service reliability between 99.95% and 100%, supported by independently validated business continuity and disaster recovery plans detailed in their SOC 2 Type 2 report and ISO 27001 certification. AWS's compliance documentation and audit reports are accessible via the AWS Cloud Compliance Page and the AWS Artifacts Portal.
4.1.2 Network and Perimeter Security:
RewardLion's product infrastructure employs sophisticated layered filtering and inspection mechanisms across web application connections, logical firewalls, and security groups to enforce stringent access controls. Network-level access control lists and default firewall configurations ensure unauthorized access is prevented, with periodic reviews to ensure only essential connections are permitted, all adhering to standard change control processes.
4.1.3 Configuration Management:
Automation drives RewardLion's infrastructure, enabling scalability and responsiveness to customer demands. Our highly automated environment embeds server configurations within images and configuration files, managed through a controlled change pipeline. From provisioning to deprovisioning, server instances undergo meticulous control, promptly identifying and rectifying deviations from configuration baselines. Patch management is conducted through automated configuration tools, maintaining compliance with expected baselines.
4.1.4 Logging:
Every action and event within the RewardLion application is meticulously logged, indexed, and stored in a centralized solution within our cloud environment. Security-relevant logs undergo retention based on data nature, with limited access to storage services granted exclusively to authorized personnel.
Through these steadfast measures, RewardLion upholds the integrity, availability, and security of our infrastructure, instilling trust and confidence among our valued clients and stakeholders.
4.1.5 Alerting and Monitoring
The RewardLion product infrastructure is equipped with sophisticated instrumentation, promptly alerting engineers and administrators to anomalies. Automatic responses or alerts are triggered for error rates, abuse scenarios, application attacks, and other irregularities, facilitating swift response, investigation, and correction. Automated triggers respond immediately to anomalous situations, implementing actions such as traffic throttling and process termination at predefined thresholds.
4.3 Customer Data Protection
RewardLion adheres to stringent protocols for safeguarding customer data, implementing robust measures for data classification, tenant separation, and encryption.
4.3.1 Data Classification
Customers are required to ensure that the data captured aligns with their marketing, sales, services, and operational processes, as outlined in RewardLion's Terms of Service. The platform should not be used to collect or store sensitive information such as financial details or personal identifiers unless permitted otherwise.
4.3.2 Tenant Separation
RewardLion operates on a multi-tenant SaaS model, logically segregating customer data using unique IDs. Authorization rules are integrated into the architecture, continuously validated to maintain data integrity. The platform logs authentication, application availability, and user access and changes for transparency and accountability.
4.3.3 Encryption
All data transmitted within the RewardLion platform is encrypted using TLS version 1.2 or 1.3 with 2,048-bit keys or higher. TLS is the default for customers hosting their websites on the platform. Stored data is encrypted using AES-256 encryption, with user passwords hashed and encrypted according to industry standards.
4.3.4 Key Management
Encryption keys for both in-transit and at-rest encryption are securely managed by RewardLion. TLS private keys for in-transit encryption are handled through a trusted content delivery partner, while volume and field-level encryption keys for at-rest encryption are stored in a hardened Key Management System (KMS). Keys undergo regular rotation based on data sensitivity, with TLS certificates renewed annually.
Through these measures, RewardLion ensures the confidentiality, integrity, and availability of customer data, maintaining the highest standards of security and compliance.
4.4 Data Backup and Disaster Recovery
4.4.1 RewardLion prioritizes minimizing system downtime and ensuring seamless operations even in adverse circumstances.
To achieve this goal:
- Redundancy and Distribution: All RewardLion product services are designed with redundancy in mind. Server infrastructure is strategically distributed across multiple distinct availability zones and virtual private cloud networks within our infrastructure providers. This distributed setup enhances resilience and minimizes the impact of potential failures.
- Point-in-Time Recovery: Web, application, and database components are deployed with point-in-time recovery mechanisms. This allows us to restore systems to specific points in time, ensuring data integrity and continuity of service in the event of unforeseen incidents.
4.4.2 Backups Strategy:
a. System Backup:
Regular backups are conducted according to predefined schedules and frequencies. We retain seven days' worth of backups for each database, facilitating seamless restoration when needed. The backup process is actively monitored to ensure successful execution, with alerts triggered for any exceptions. In the event of failures, alerts are escalated, investigated, and addressed promptly. Data is backed up daily to the local region, and we maintain monitoring and alerting mechanisms for replication failures, which are promptly addressed and managed.
b. Physical Backup Storage:
As RewardLion leverages public cloud services for hosting, backup, and recovery, it does not incorporate physical infrastructure or storage media within its products. Additionally, RewardLion typically does not utilize other forms of hard copy media, such as paper or tape, in delivering its products to customers.
c. Backup Protection:
By default, all backups within RewardLion are safeguarded through access control restrictions and write once read many (WORM) protections on its product infrastructure networks. Additionally, access control lists are implemented on the file systems that store the backup files, enhancing their security measures.
d. Data Backup Restoration:
RewardLion customers do not possess access to the product infrastructure in a manner that permits customer-driven failover events. Disaster recovery and resiliency operations are overseen by RewardLion product engineering teams. In certain instances, customers can utilize the recycle bin to directly recover and restore various elements such as contacts, opportunities, custom fields, custom values, tags, notes, and tasks within 30 days of deletion. Changes made to web pages, blog posts, or emails can be reverted to previous versions using version history. For customers desiring additional data backup, the RewardLion platform offers numerous methods to ensure data availability. Export options are embedded within many features of the RewardLion portal, and the RewardLion library of public APIs allows for data synchronization with other systems.
4.4.3 Identity and Access Control
a. Product User Management
RewardLion's products offer finely tuned authorization settings, providing customers with the ability to craft and oversee users within their portals. They can designate suitable privileges and regulate access according to their specific needs and preferences.
b. Product Login Protection
RewardLion's products enable users to access their accounts through the native RewardLion login system. This login method enforces a standardized password policy, mandating a minimum of 8 characters with a mix of uppercase and lowercase letters, special characters, and numbers. Users utilizing RewardLion's native login cannot alter the default password policy. Moreover, customers employing RewardLion's built-in login benefit from two-factor authentication for added security. Portal administrators have the option to mandate two-factor authentication for all users.
c. RewardLion Employees Access to Data
- Access to Production Infrastructure
Access to Production Infrastructure User access to internal data stores and production infrastructure is strictly controlled. HighLevel employees are granted access using a role-based access control (RBAC) model. Day-to-day access is minimized to members of the Engineering team and persistent administrative access is restricted. Additionally, direct network connections to product infrastructure devices over SSH or similar protocols is prohibited, and engineers are required to authenticate first through a bastion host or "jump box" or have assigned IAM role to the resource before accessing server environments.
- Access to Customer’s Portals
By default, certain personnel such as Customer Support and Services teams have limited access to specific sections of your RewardLion account to assist you with utilizing the platform effectively. Additionally, RewardLion employs a Just-In-Time Access (JITA) model to grant employees temporary access to a customer's portal for a restricted period (Portal JITA). Each Portal JITA request is meticulously logged, and access is restricted to a designated customer's portal for a maximum duration of 24 hours. To further enhance security, RewardLion employs risk-based monitoring to identify any unusual activity related to Portal JITA.
When utilizing Portal JITA to access a portal, RewardLion staff members are unable to perform high-risk actions such as:
- Altering domain or Single Sign-On (SSO) settings
- Exporting users or contacts
- Viewing, creating, deleting, or rotating private application keys
- Importing data into the CRM
- Deleting contacts, companies, deals, or tickets
All user logins, RewardLion employee access, security-related activities, and content interactions are diligently logged for monitoring and audit purposes.
d. Corporate Authentication and Authorization
Access to the RewardLion company network is secured with Multi-Factor Authentication (MFA), ensuring an additional layer of protection beyond passwords. Our password policies adhere to industry best practices concerning required length, complexity, and rotation frequency. Certain administrative account passwords are managed using password vaults, and access to these vaults is carefully controlled through Role-Based Access Control or the Just-In-Time Access (JITA) process. We have developed an extensive support system to streamline and automate our security management and compliance activities.
In addition to numerous other responsibilities, we meticulously manage permission grants, oversee employee events, ensure timely access revocations, maintain comprehensive change logs, and preserve compliance evidence. Employee access and permissions to critical internal systems undergo manual review semi-annually to confirm that granted access aligns with job functions.
4.4.4 Corporate Security a. Background Checks
a. Background Checks
RewardLion employees undergo a third-party background check before receiving formal employment offers. Reference verification is conducted at the discretion of the hiring manager. Upon joining the company, all employees are required to review and acknowledge RewardLion's Employee Handbook and Code of Conduct. These documents outline employees' security responsibilities in safeguarding company assets and data.
b. Policy Management
In order to ensure uniformity among employees in protecting data, RewardLion documents and maintains written policies and procedures. Specifically, RewardLion upholds a core Written Information Security Policy covering various topics including data handling requirements, privacy considerations, and disciplinary actions for policy violations. These policies undergo annual review and approval to ensure relevance and compliance.
c. Security Training
RewardLion mandates CyberSafety training for all new employees upon commencement of their employment. Additionally, this training is made available annually to ensure continuous awareness and education. The curriculum includes modules on phishing awareness and other pertinent cybersecurity topics.
d. Vendor Management
RewardLion collaborates with third-party service providers to facilitate product development and internal operations. To uphold security and privacy standards, we enforce stringent requirements within our contractual agreements with these vendors. Additionally, we maintain an up-to-date list of our sub-processors, subject to periodic revisions, as outlined in our Data Processing Agreement.
e. Endpoint Protection
RewardLion centrally manages company-issued laptops, which are configured to maintain full disk encryption. Additionally, we employ a Mobile Device Management solution, offering IT administrators a centralized platform to oversee and regulate mobile devices within the organization. This includes configuring device settings, enforcing security policies, deploying applications, and ensuring adherence to corporate standards.
4.4.5 Compliance
For comprehensive insights into how data is processed and the underlying purposes, we encourage reviewing our Terms of Service and Privacy Policy. It's important to note that while RewardLion customers have the option to settle payments using credit cards, we do not retain, process, or gather credit card details provided by customers. Additionally, RewardLion is not PCI-DSS compliant. To ensure secure payment transactions, we partner with PCI-compliant payment card processors.
4.4.6 Privacy
In adherence to our Privacy Policy, we uphold a firm commitment not to trade or sell your personal data to any third parties. Our stringent safeguards, detailed in this document and throughout our operations, are purposefully designed to uphold the confidentiality and integrity of your information.
a. Data Retention Policy
At RewardLion, your data is securely stored as long as you're an active customer. Upon account closure, you can request specific data deletion, which we promptly process in compliance with privacy laws. While we retain certain data for security and legal purposes, we ensure its protection and limit retention to essential needs. We do not currently offer customized data retention options, but we regularly update our policies to meet evolving privacy standards
b. Privacy Program Oversight:
At RewardLion, our Legal Team works closely with our engineering and product development units to uphold a robust privacy program. Detailed information regarding our dedication to safeguarding your data is outlined in our Privacy Policy and Data Processing Agreement
c. Breach Notification:
RewardLion adheres to legal requirements concerning data breaches and will promptly notify customers in the event of any breach affecting their personal data.
4.4.7 GDPR Compliance
RewardLion endeavors to offer functionalities that assist customers in meeting and upholding their GDPR compliance obligations. Kindly consult our GDPR page for further details. It's important to note that utilizing the RewardLion product alone does not guarantee GDPR compliance.
4.4.8 This Document
This document serves as a reference for our customers and is not designed to establish a binding contractual agreement between RewardLion and any parties, nor does it modify existing agreements between the parties. RewardLion is consistently enhancing the safeguards we have in place; therefore, our procedures may undergo changes over time.
4.4.9 Contact Us
RewardLion welcomes your questions or comments regarding this document. If you have any inquiry or request, please contact us through:
Global Digital Business Solution
- 333 Las Olas Way # Cu-1, suit 1 Fort Lauderdale, Florida 33301
- Email Address: [email protected]
- Telephone number: 1(800)-876-8984
- Updated as of February 2024