How we look after your data
At SwipedOn, security is a priority!
We understand that the protection and security of our customer data is our most important responsibility. Thousands of companies around the world trust SwipedOn to treat their data with the respect it deserves. We do not take that responsibility lightly, and we're constantly improving our security procedures across the business.
We keep a close eye on the latest data regulations and in particular, the EU General Data Protection Regulations (GDPR). You can find out more on how to use SwipedOn with the GDPR here.
As a Cloud service, we do not host any servers ourselves. We outsource this task to Amazon Web Services (AWS). You can view AWS security information here.
Our servers are located in the AWS region selected by a customer when an account is created. These regions can be one of the following: United States of America (Ohio); Great Britain (London); Singapore; Australia (Sydney); Canada; or EU (Frankfurt).
The servers we use at AWS are Multi-Tenant. AWS have strict controls to prevent one tenant from accessing another tenant's data.
All of our servers are within our own virtual private cloud (VPC) with network access controls.
Our database is continuously versioned for recovery purposes using AWS RDS.
We use AWS Simple Storage Service (S3).
We use S3 for:
Signed visitor agreements
Our web application (https://secure.swipedon.com) is only accessed via HTTPS, and the entire HTTPS web application framework is protected with SSL certification.
Sessions are authenticated using JSON Web Tokens (JWT) provided by the AWS Cognito service.
Each device has a 6-character randomly generated unique Device Identifier. Device sessions are authenticated using a security token which is randomly re-activated after a set period of time.
All user passwords as hashed and stored using AWS Cognito. Passwords can only be changed and not retrieved. Our Customer Support staff follows strict policies for the resetting of client passwords and has no ability to retrieve the passwords or hashes of passwords.
All SwipedOn staff are required to use the password vault manager 1Password. Staff are required to use 2-Factor authentication where available.
We do not store your Credit Card details. We outsource the processing of your payments to specialist, secure PCI compliant companies: Stripe and Windcave.
You can view their credentials here:
Windcave Compliance and Certificates
Segregation of duties
SwipedOn staff do not have access to your data. The exception to this is when our Customer Support team or Engineers need to debug issues or configure your account. In such circumstances, we will only access your data with your express permission.
Our internal Data Protection Policy states that customer data is never to be stored on local machines.
Production and Staging logins are separated between Support and Engineering Teams, meaning Engineers are not able to access Production Data without making a specific request.
SwipedOn works in Offline mode. In the unlikely event of a server outage, all data is queued and transferred to our servers on re-connection. This is perfect for making use of our Evacuation Management feature.
Our Cloud-based platform is engineered for redundancy and availability.
Our platform uses load balancing techniques to auto-scale when demand is high.