Security & Compliance

SECURITY & COMPLIANCE

Highly secure infrastructure. Compliance. Real-time security monitoring. Global.

Data Controls and Information Security is at the center of everything we do at ADR. Sharing how we store, process, and secure our services is essential to us and the organizations we serve. We keep our customer’s information available, confidential, and unaltered by partnering with some of the best service providers globally. Below are answers to general inquiries about our security and compliance measures.  For more detailed information you can request a copy of our Whitepaper: Reward Management Services: Security at compliance@alldigitalrewards.com

Security

Hosted Customer Data

ADR works with Google Cloud Services. One of 18 trusted providers selected by the NIST (National Institute of Standards and Technology) to demonstrate zero-trust security architectures as part of the guidance for agencies and industry. We are a SaaS platform that is 100% cloud-based in Google cloud services. ADR does not operate our physical servers, routers, load balancers, or DNS servers. All ADR servers are within a VPC (virtual private cloud) with ACLs (network access control lists) to prevent unauthorized requests from reaching our internal network. Role-based access control (RBAC) ensures only employees who need access to customer data have access.

Hosting Facilities

ADR products run on world­ class infrastructure hosted at Google data centers running on cloud technology. Google data centers provide state­ of­ the­ art fire suppression, redundant utilities, physical security 24/7, and biometric devices ensuring that our customers’ data is secure and safe. Google is a leader in cloud technology by continually reviewing and refining its procedures to comply with the latest security standards.

Hosting Facilities

ADR provides a report on Controls at a Service Organization Relevant to Security available for review. To request a copy of the report, contact compliance@alldigitalrewards.com. The report is a detailed report to meet the needs of a broad range of users who need information and assurance about the data controls relevant to the security of the systems ADR uses to process users’ data and the privacy and confidentiality of the information processed within its systems. These reports can play an essential role in:

• Regulatory oversight
• Vendor management programs
• Oversight of the organization
• Internal corporate governance
• Risk management processes

GDPR and CCPA

ADR is headquartered in the U.S. and processes all personal data in the United States. ADR complies with the framework set forth by the U.S. Department of Commerce for the EU/Swiss-U.S.’s Privacy Shield regarding the collection, use, and retention of personal information from European Union member countries/Switzerland.

ADR is CCPA compliant. Please see the ADR privacy policy to understand better how we control and process personal data.

Reporting a Potential Security Issue

If a security issue pertains to ADR Technologies, we ask that you report it to us confidentially by emailing security@alldigitalrewards.com. Please provide as much information on reproducing the issue as possible. You will receive a response from a member of the ADR security team to confirm receipt of your security concern promptly. Please provide a reasonable time for the ADR team to evaluate your report. ADR follows responsible disclosure when a security issue has been identified and mitigated.

Network Security

At ADR, we protect communications between our systems and you. ADR takes multiple steps to prevent data leakage between you and our systems within our infrastructure. For example, because all network traffic runs over HTTPS (TLS), our internal assets are isolated using strict filtering policies, allowing only the communication required for our programs. By default, systems deny all other access unless explicitly allowed.

Security Options

We’re not resting on our laurels. If we see something, we react and remedy the issue. We’re monitoring our systems for interruptions and breaches. We are vested in ensuring we can detect and respond to incidents and security events that impact our infrastructure. Security Operations at ADR provides:

• Responses are best practices and immediate
• Communicated to all the appropriate parties
• Conduct a root cause analysis
• Execute corrective actions
• Lessons learned cycled to appropriate internal teams

System Security

We’re constantly updating our systems to protect your data. Our virtual systems are replaced regularly with new, patched systems. System configuration and consistency are maintained using configuration management, up-to-date images, and continuous deployment. Through consistent scheduled deployment, existing systems are decommissioned and replaced by up-to-date images at regular intervals.

Restricted Access

Only users who need access will receive system access. Production access is limited to key members of the ADR Operations team and client-approved users. Passwords are expressly forbidden, and at a minimum, authentication requires two factors, including asymmetric RSA public/private keys and a certificate-based multifactored VPN connection.

Third-Party Assessments

We welcome oversight. We design our services and processes with security in mind. ADR regularly conducts vulnerability tests to identify and remediate potential weaknesses. Expert third-party vendors conduct periodic penetration and web application security assessments to review our applications and services for potential risk. Tests can include white and black box testing and static code analysis when searching for vulnerabilities.

Logging

We continually monitor for misuse or occasional problems. Logging is used extensively for investigating issues and application troubleshooting; streamed real-time and over secure channels to a centralized logging service. Development and operations teams view logs without accessing the production systems. We collect everything from application logs to Google Cloud Services logs to help form a complete audit trail of employee and user activity.

Application Level Security

We prevent single points of failure. Even if one system is breached or goes down, the rest of our services stay up and secure. We segment services logically and follow best practices, such as running applications services on dedicated instances. TLS over external and internal networks secures all login pages, and only certificates signed by well­ known Certificate Authorities (CAs) are allowed. All business-related communications are encrypted while at rest or in transit. ADR customer application passwords are hashed and salted at rest, and even if lost, the password must be reset even by staff.

Encryption

TLS encryption is used for all data in transit by ADR. Data at rest is encrypted using AES256 encryption to encrypt your data on the server that hosts your Google Cloud Services DB instances. Data Protection, Continuity and Retention.

We test and back up our systems, just in case. Mirroring production data to remote systems follows best practices and is regularly automatically backed up. By replicating production databases, we can avoid single points of failure. We periodically test recovery procedures by restoring from backup and simulating recovery of a production database. Backup retention varies by function and business impact.

Internal IT Security

Protecting our systems protects your data. Well-known security vendors protect ADR offices behind network firewalls and secure keycard access. Collaborative tools like document shares, email, and calendars require two ­factor authentications to mitigate phishing attacks. Critical system infrastructure passwords are accessed by a handful of individuals in the organization and, with the help of AES­256 encryption, are locked in a virtual vault.

Awareness and Training

Security awareness training is delivered to all employees and contractors, and we continually publicize security alerts through our internal communication channels. ADR requires all employees and contractors to sign a confidentiality agreement before commencement of employment or providing services.

Compliance

SOC 2 Compliance

ADR is SOC 2 compliant, providing significant security and controls ​to ensure data and payments are processed safely, securely, and within compliance. Using cloud-based advanced server infrastructure, state-of-the-art security methodology, and implementing an independently audited process control, we ensure quick and efficient data processing controls regardless of how many and how much volume to anywhere in the world.

KYC and AML Compliance

The ADR platform and policies ensure all payment processing is controlled by strictly adhering to global anti-money laundering (AML) and knowing your customer (KYC) regulations. When collecting required PII and company data and applying advanced real-time KYC checking and identity level payment and velocity restrictions, we can ensure organizations always maintain compliance.

Money Transmitter Compliance

ADR only works with fully MTL licensed infrastructure to comply with the US and Non-US payment regulations. Regulatory requirements ensure payments are moved between designated individuals and companies securely and in a controlled manner. Real-time data and payment restrictions provide identity tracking and assurances around funds managed and held by ADR and our vendors.

PCI Compliance

ADR is PCI compliant to ensure card processing is safe and securely managed. Real-time KYC identity tracking and assurances provide data, and payment restrictions are in place for funds managed and held by ADR.

GDPR Compliance

ADR adheres to all the data protection requirements outlined in GDPR, providing all data subjects control of their personal data as well as processing all data using highly secure protocols.

HIPAA Compliance

ADR complies with the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, a series of regulatory standards that outline the lawful use and disclosure of protected health information.

HITRUST CSF Certified

ADR is certified with the HITRUST CSF (Common Security Framework), a comprehensive framework that addresses information security and privacy risks in the healthcare industry. By adhering to HITRUST CSF, ADR demonstrates its commitment to protecting sensitive data, ensuring regulatory compliance, and implementing robust security controls and practices.

Security Overview

Platform Security Features Overview

If you have any questions about our security, feel free to reach out to our security team at security@alldigitalrewards.com.

  • Complex Password Access
    All access is via complex minimum 8 character passwords with numbers and special characters required.
  • RSA Encryption with Salt
    All passwords unencryptable.
  • Access Lockout
    Repeated failed attempts to access the system blocks users and is logged.
  • IP Based Access
    Specific IP-based security for controlled access.
  • Location-Based Access
    Location-based restrictions
  • One Time Passwords (2 step authentication)
    Device and IP based
  • Web Application Firewalls
    Realtime DOS, SQL Injection, and other attack protection
  • Realtime KYC validation (Know your customer)
    Instant checks on individual and company details during profile setup and payments
  • Realtime AML validation (Anti-money laundering)
    Instant rule checks on individual and company payments activity.
  • Secure Encrypted Data
    Sensitive data encrypted using state-of-the-art encryption methods. Details on request.
  • Regular Independent Site Scans
    Regular third-party scans of servers to ensure no vulnerabilities including static and dynamic scans.
  • Firewall Protection
    Secure firewall protection.
  • Physically Secure Servers
    All servers is carefully monitored restricted sites with secure passkey access. More information on request.
  • Safety Policies
    Documented security policies in place.