SECURITY & COMPLIANCE

ADR products run on world­ class infrastructure hosted at Google data centers running on cloud technology. Google data centers provide state­ of­ the­ art fire suppression, redundant utilities, physical security 24/7, and biometric devices ensuring that our customers’ data is secure and safe. Google is a leader in cloud technology by continually reviewing and refining its procedures to comply with the latest security standards.

ADR provides a report on Controls at a Service Organization Relevant to Security available for review. To request a copy of the report, contact compliance@alldigitalrewards.com. The report is a detailed report to meet the needs of a broad range of users who need information and assurance about the data controls relevant to the security of the systems ADR uses to process users’ data and the privacy and confidentiality of the information processed within its systems. These reports can play an essential role in:

• Regulatory oversight
• Vendor management programs
• Oversight of the organization
• Internal corporate governance
• Risk management processes

ADR is headquartered in the U.S. and processes all personal data in the United States. ADR complies with the framework set forth by the U.S. Department of Commerce for the EU/Swiss-U.S.’s Privacy Shield regarding the collection, use, and retention of personal information from European Union member countries/Switzerland.

ADR is CCPA compliant. Please see the ADR privacy policy to understand better how we control and process personal data.

If a security issue pertains to ADR Technologies, we ask that you report it to us confidentially by emailing security@alldigitalrewards.com. Please provide as much information on reproducing the issue as possible. You will receive a response from a member of the ADR security team to confirm receipt of your security concern promptly. Please provide a reasonable time for the ADR team to evaluate your report. ADR follows responsible disclosure when a security issue has been identified and mitigated.

At ADR, we protect communications between our systems and you. ADR takes multiple steps to prevent data leakage between you and our systems within our infrastructure. For example, because all network traffic runs over HTTPS (TLS), our internal assets are isolated using strict filtering policies, allowing only the communication required for our programs. By default, systems deny all other access unless explicitly allowed.

We’re not resting on our laurels. If we see something, we react and remedy the issue. We’re monitoring our systems for interruptions and breaches. We are vested in ensuring we can detect and respond to incidents and security events that impact our infrastructure. Security Operations at ADR provides:

• Responses are best practices and immediate
• Communicated to all the appropriate parties
• Conduct a root cause analysis
• Execute corrective actions
• Lessons learned cycled to appropriate internal teams

We’re constantly updating our systems to protect your data. Our virtual systems are replaced regularly with new, patched systems. System configuration and consistency are maintained using configuration management, up-to-date images, and continuous deployment. Through consistent scheduled deployment, existing systems are decommissioned and replaced by up-to-date images at regular intervals.

Only users who need access will receive system access. Production access is limited to key members of the ADR Operations team and client-approved users. Passwords are expressly forbidden, and at a minimum, authentication requires two factors, including asymmetric RSA public/private keys and a certificate-based multifactored VPN connection.

We welcome oversight. We design our services and processes with security in mind. ADR regularly conducts vulnerability tests to identify and remediate potential weaknesses. Expert third-party vendors conduct periodic penetration and web application security assessments to review our applications and services for potential risk. Tests can include white and black box testing and static code analysis when searching for vulnerabilities.

We continually monitor for misuse or occasional problems. Logging is used extensively for investigating issues and application troubleshooting; streamed real-time and over secure channels to a centralized logging service. Development and operations teams view logs without accessing the production systems. We collect everything from application logs to Google Cloud Services logs to help form a complete audit trail of employee and user activity.

We prevent single points of failure. Even if one system is breached or goes down, the rest of our services stay up and secure. We segment services logically and follow best practices, such as running applications services on dedicated instances. TLS over external and internal networks secures all login pages, and only certificates signed by well­ known Certificate Authorities (CAs) are allowed. All business-related communications are encrypted while at rest or in transit. ADR customer application passwords are hashed and salted at rest, and even if lost, the password must be reset even by staff.

TLS encryption is used for all data in transit by ADR. Data at rest is encrypted using AES256 encryption to encrypt your data on the server that hosts your Google Cloud Services DB instances. Data Protection, Continuity and Retention.

We test and back up our systems, just in case. Mirroring production data to remote systems follows best practices and is regularly automatically backed up. By replicating production databases, we can avoid single points of failure. We periodically test recovery procedures by restoring from backup and simulating recovery of a production database. Backup retention varies by function and business impact.

Protecting our systems protects your data. Well-known security vendors protect ADR offices behind network firewalls and secure keycard access. Collaborative tools like document shares, email, and calendars require two ­factor authentications to mitigate phishing attacks. Critical system infrastructure passwords are accessed by a handful of individuals in the organization and, with the help of AES­256 encryption, are locked in a virtual vault.

Security awareness training is delivered to all employees and contractors, and we continually publicize security alerts through our internal communication channels. ADR requires all employees and contractors to sign a confidentiality agreement before commencement of employment or providing services.