|Reliability||SwipedOn works in Offline mode. In the unlikely event of a server outage all data is queued and transferred to our servers on re-connection.
Our Cloud-based platform is engineered for redundancy and availability.Our platform uses load balancing techniques to auto-scale when demand is high.
|Passwords||User accounts and passwords are securely managed by AWS Cognito. Passwords are hashed using Bcrypt hashing function. Individual users can only reset their own password.
All SwipedOn staff are required to use a password vault manager. Staff are required to use 2-Factor authentication where available.
|Network and application security|
|Data Hosting||As a Cloud service, we do not host any servers ourselves. We outsource this task to Amazon Web Services (AWS). You can view AWS security information.
Our servers are located in the AWS region selected by a customer when an account is created. These regions can be one of the United States of America (Ohio); Great Britain (London); Singapore; Australia (Sydney); Canada; or EU (Frankfurt).
The servers we use at AWS are Multi-Tenant. AWS have strict controls to prevent one tenant from accessing another tenant's data.All of our servers are within our own virtual private cloud (VPC) with network access controls.
|Backups||Our database is backed up daily for recovery purposes using AWS RDS.|
|Data Storage||We use AWS Simple Storage Service (S3) for storage. Data at rest is encrypted using AWS-provided encryption.|
|Encryption & Sessions||Our web application (https://secure.swipedon.com) is only accessed via HTTPS and the entire HTTPS web application framework is protected with SSL certification.
Sessions are authenticated with a 23-character security token.
Each iPad has a 6-character randomly generated unique Device Identifier. iPad sessions are authenticated using a security token which is randomly re-activated after a set period of time.
All network traffic is encrypted both inside and outside our network.
|Additional security measures|
ISO 27001 is the only auditable international standard that describes best practices for an ISMS (information security management system). ISO27001 certification provides independent proof that our ISMS practices and procedures are safe and relevant.
Achieving accredited certification to ISO 27001 demonstrates that SwipedOn is following information security best practices and provides an independent, expert verification that information security is managed in line with international best practices and business objectives.
|SOC-2 certification||SwipedOn has successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that SwipedOn Limited’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security. Swiped On Limited was audited by Prescient Assurance, a leader in security and compliance certifications for B2B, SAAS companies worldwide. Prescient Assurance is a registered public accounting in the US and Canada that provides risk management and assurance services which include but are not limited to SOC 2, PCI, ISO, NIST, GDPR, CCPA, HIPAA, CSA STAR etc.|
|Additional security measures||
We do not store your Credit Card details.We outsource the processing of your payments to Stripe - a specialist, secure PCI compliant company. You can view their credentials here:
|Segregation of duties||SwipedOn staff do not have access to your data. The exception to this is when our Customer Support team or Engineers need to debug issues or configure your account. In such circumstances, we will only access your data with your express permission.|
|Training||All employees complete Security and Awareness training annually.
SwipedOn has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
|Best practices||Our internal Data Protection Policy states that customer data is never to be stored on local machines.
Production and Staging logins are separated between Support and Engineering Teams, meaning Engineers are not able to access Production Data without making a specific request.