- Design industry shaping loyalty programs
- Integrate easily and go live quicker
- Deliver hyper-personalized consumer experiences
Capillary named a Leader in SPARK Matrix™: Customer Loyalty Solutions, Q2 2024 Report Read more >
Aligned with the Latest Security Standards
Data privacy and security are of paramount importance for any loyalty program. Capillary’s platform is up to date to meet the latest security standards.
ISO 27001 Compliant
Capillary’s Information Security Management System (ISMS) is based on ISO 27001:2013. Capillary is also PCI DSS 3.2.1 compliant and certified.
Certified with Card Industry Data Security Standards
Regular cadence for Risk assessments, internal audits, and external audits along with metrics-based governance for data security.
Capillary’s Privacy Management System (PMS) is programmed, with experienced privacy analysts, to track and comply with privacy regulations worldwide, working closely with the Capillary loyalty product managers to ensure a seamless intersection of the consumer privacy journeys with the privacy regulations. Capillary is compliant with global privacy regulations, including:
The Capillary PMS derives many of the privacy controls design from industry standard bodies such as the Information Commission Office (ICO) UK and Direct Marketing Association (DMA)
Personal data fields required for loyalty configurations are standardized, and any exceptions require approval by the Data Protection Office (DPO).
Commitments to customers are transmitted to vendors in contracts (On Transfer Principle) along with regular Privacy Impact Analysis.
All data provided by customers is protected as “Confidential Information” by default and guidelines are devised accordingly.
Access is managed on the principles of Minimum need-to-do/know and Segregation of Duties (SoD) principles.
Two Factor Authentication (2FA) based login and Role Based Access Control (RBAC).
Data at Rest is protected using advanced standards (AES 256). Data in Transmission is protected using HTTPS TLS 1.2.
Customer data isolation through unique IDs at the API layer limiting access of data only to the respective customer.
Highly available systems and near real-time data replication across geographically dispersed data centers provide a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 30 minutes.
All data provided by customers is protected as “Confidential Information” by default and guidelines are devised accordingly.
Access is managed on the principles of Minimum need-to-do/know and Segregation of Duties (SoD) principles.
Two Factor Authentication (2FA) based login and Role Based Access Control (RBAC).
Data at Rest is protected using advanced standards (AES 256). Data in Transmission is protected using HTTPS TLS 1.2.
Customer data isolation through unique IDs at the API layer limiting access of data only to the respective customer.
Highly available systems and near real-time data replication across geographically dispersed data centers provide a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 30 minutes.
Anti-DDOS, Firewalls, and Web Application Firewalls ensure a solid safeguard for data protection.
VPN, SSH-based login, and centralized access control for production engineers.
Anti-virus protection and patch management for end-points along with prevention of malicious code.
Automated log monitoring and alerting using context-based Security Incident and Event Management (SIEM) System.
Pre-release internal security testing for all releases, based on OWASP, SANS 25 along with annual external (3rd party) security testing.
Production environment segregated from non-production environment along with Authentication API calls and API rate limiting.
Brands can control the behavior of how customers subscribe/unsubscribe to promotional messages.
Brands can control which all data are Personally Identifiable Information and provide ways to customers to delete their data
End customers can easily opt-in or out of brand communications via multiple channels.
End customer data is completely safe as it is encrypted and stored with user consent.
Open privacy policies ensure users are aware of how their data would be used at all times.
Such policies dictate that only necessary data is collected to reduce liability without impacting customer experience.
All data provided by customers is protected as “Confidential Information” by default and guidelines are devised accordingly.
Access is managed on the principles of Minimum need-to-do/know and Segregation of Duties (SoD) principles.
Two Factor Authentication (2FA) based login and Role Based Access Control (RBAC).
Data at Rest is protected using advanced standards (AES 256). Data in Transmission is protected using HTTPS TLS 1.2.
Customer data isolation through unique IDs at the API layer limiting access of data only to the respective customer.
Highly available systems and near real-time data replication across geographically dispersed data centers provide a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 30 minutes.