Question 1

What compliance certifications does Loyalife hold?

Accepted Answer

Loyalife is certified against PCI-DSS, SOC 2 Type II, and ISO 27001, with GDPR, CCPA, and India DPDP alignment, and is HIPAA-ready for healthcare loyalty contexts. The SOC 2 Type II report and ISO 27001 certificate are shared under NDA. We respond to security questionnaires - CAIQ, SIG, or custom - within five business days.

Question 2

How does fraud detection work on the platform?

Accepted Answer

An ML-based risk-scoring engine evaluates accrual, redemption, and product-specific activity against velocity thresholds you configure per program. Flagged accruals are held in a holdback queue for manual approval before points post to a member balance. Redemptions are alert-only and non-blocking by design, so a legitimate member is never stopped at the moment of redemption - your team reviews flags with reason-coded context instead. A daily email digest surfaces points mismatches and suspected misuse to operations.

Question 3

How does Maker/Checker dual-control work?

Accepted Answer

Sensitive actions - manual points, user management, rule-engine changes, campaigns, tiers, point definitions, suspensions, attribute management, and report uploads - move through a three-role model: a Maker proposes, a Checker reviews, and an Approver authorizes. Dual-control spans 10+ business modules and is paired with a multi-tier Delegation-of-Authority hierarchy for separation of duties. Once enabled for a module it is irreversible, so no single operator can act unilaterally on production.

Question 4

What does the audit trail capture, and can we export it?

Accepted Answer

Every admin action, role change, rule configuration, and file upload is logged with five fields: timestamp, user email, channel, browser, and IP address. The trail also tracks failures - repeated login failures, password-reset requests, and locked accounts - and supports compliance search across audit data to surface out-of-compliance events for auditor requests. The full Maker/Checker report tracks created, pending, approved, and rejected items with who, when, status, and reason. Logs and approval reports export as PDF or CSV with date-range filtering for your auditors and SIEM. PII is stripped from audit logs.

Question 5

How granular is access control (RBAC)?

Accepted Answer

Role-Based Access Control spans 10+ modules with tiered View / Edit / Create permissions, plus custom role creation and a multi-tier Delegation-of-Authority hierarchy for separation of duties. User-lifecycle controls cover lock/unlock, deactivate, and archive/unarchive - archived users lose access while their historical data is retained for audit. Member access supports two-tier blocking, Login Blocked and Membership Blocked, applied independently.

Question 6

What are your password, login, and 2FA controls?

Accepted Answer

Reset links expire in 24 hours, the last 4 passwords cannot be reused, and an account locks for 24 hours after 6 failed attempts. A configurable 30-day inactivity reset and a 6-digit CAPTCHA defend against automated abuse. Email-based one-time-password (OTP) 2FA - with expiration timers and configurable attempt limits - and LDAP authentication are supported, and password resets run through a secure email link.

Question 7

How is member PII protected?

Accepted Answer

Sensitive member attributes are encrypted at rest, PII is stripped from audit logs, and data export is gated behind dual permission (personal-information access plus report-creation rights). The PII export control is a one-way, irreversible toggle: once you lock export off for a program, it cannot be turned back on - a deliberate safeguard so customer data cannot be quietly re-exposed. Application session data is held in non-persistent session cookies rather than persistent cookies.

Question 8

What security tooling sits in front of the platform?

Accepted Answer

A web application firewall running the OWASP Core Rule Set blocks XSS and SQL-injection at the edge, alongside DDoS protection, bot detection, selective IP blocking, and rate limiting. Security events stream into Elasticsearch and can integrate with your own SIEM. File Integrity Monitoring, active patch management, anti-malware, and intrusion prevention guard the runtime. We run annual VAPT plus code and dependency analysis, and every container image is scanned in CI/CD before it ships. The SaaS runs inside a private VPC with all servers in private subnets; infrastructure access is only via VPN and a jumphost, both MFA-enabled.

Question 9

Are you HIPAA-compliant?

Accepted Answer

Loyalife is HIPAA-ready and we will execute a BAA for healthcare contexts. We do not store PHI by default - for healthcare loyalty programs we work with you to architect data flows so the loyalty platform never touches PHI.

Clear the security review, stop insider fraud, and protect the loyalty balance sheet

Approve the platform without taking our word for it

PCI-DSS

SOC 2 Type II

ISO 27001

One failed control never becomes a breach

Data in transit

Data at rest

Password hashing

System secrets

Log redaction & sessions

Key custody

A single breached control never reaches your members' points

Catch abuse before it hits the balance, without blocking real members

The controls stay honest long after the audit

SIEM & centralized logging

File Integrity Monitoring

Patch & malware defense

Tested & secure delivery

No single employee can move points alone, so insider fraud never starts

What security teams ask first

Send us the questionnaire. We'll send back the answers