Skip to content

Legal

Security

Rewardez treats security as a foundational product feature, not a checkbox. Here is how we approach it.

Last updated: January 2026

Certifications and compliance

Rewardez is SOC 2 Type II certified, ISO/IEC 27001:2022 certified, and GDPR & DPDP compliant. Audit reports are available under NDA to current and prospective customers.

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Encryption keys are managed through our cloud provider's managed key service with automated rotation.

Access controls

Production access is restricted to a small set of engineers under role-based access controls. All access is logged, time-bound, and reviewed quarterly. Multi-factor authentication is enforced across all internal systems.

Application security

We run a continuous application security program — including static and dynamic analysis on every build, third-party penetration testing twice a year, and a public bug bounty program for responsible disclosure.

Business continuity

Production data is replicated across availability zones with automated backups retained for 30 days. We test recovery procedures quarterly. Our RPO is 15 minutes; our RTO is 4 hours.

Reporting an issue

Please report security concerns to security@rewardez.com. PGP key available on request.