Security
Keepers Loyalty stores business account information and customer signup records, so the platform needs clear operational safeguards. This page outlines the core security expectations a SaaS like this should communicate even before a full compliance program is in place.
Security principles
Business accounts authenticate through platform-managed sign-in flows, and protected pages rely on server-side session checks. Access to business data should remain limited to authenticated account holders and authorized internal operators who need it for support or maintenance.
Application data is stored using managed infrastructure. Sensitive operations should be routed through validated backend functions rather than exposing direct client-side write paths. Logs and operational telemetry should be reviewed with care to avoid unnecessary retention of customer information.
Customer signups collected through loyalty links may contain personally identifiable information, including names, email addresses, and optional phone numbers. Businesses should export and use that data responsibly, and the platform should minimize collection to what is necessary for the product to work.
Suspected vulnerabilities, suspicious account activity, and incidents affecting customer data should be triaged quickly, investigated, and remediated with appropriate customer communication. Security posture should improve over time as the platform matures, usage grows, and new risks appear.
What to publish next
As the product matures, this page can expand with a formal subprocessor list, backup and retention details, encryption specifics, authentication hardening, and vulnerability disclosure instructions.
Reporting issues
Security reports should have a clear destination before launch. If you plan to accept public reports, add a monitored inbox or disclosure form and link it from this page and the footer contact page.