This document provides details on security features of PassKit's Software as a Service application ("Service") and overall security & data measures. It addresses the most common concerns customers have about security and privacy.
PassKit shall (a) establish and maintain industry standard technical and organizational measures designed to protect against (i) accidental damage to, or destruction, loss, or alteration of, Customer Data and (ii) unauthorized access to the Customer Data; and (b) establish and maintain industry standard network and internet security procedures, protocols, security gateways and firewalls with respect to the Hosted Service.
PassKit's comprehensive engagement tools fuel some of the world's most successful mobile applications and campaigns: powering mobile wallet programs, O2O engagement strategies, sophisticated audience targeting, and mobile analytics.
PassKit customers access and use the Service to engage with users of their mobile wallet / passes. The timing, method, and content of such engagements using the PassKit Service is at the sole control of our customers. In addition, in order to provide intelligent insights to our customers about their mobile marketing programs and engagements, the PassKit Service collects, processes, and stores data about customers' user activity data.
PassKit is committed to providing transparency and supporting necessary levels of consent in our privacy practices. PassKit collects, processes, and uses information via the Service on behalf of our customers, in accordance with the agreement in place between PassKit and the specific customer. With respect to customer data, PassKit acts as the data processor and our customer remains the data controller.
PassKit classifies all customer data as restricted confidential and access to customer data is actively managed and reviewed.
Data on the Service is protected both at rest and in transit. At rest, PassKit employs robust controls and tools to manage access to stored data including, but not limited to: activity logging, web access controls, and Web Application Firewall (WAF.)
TLS encryption is required and enabled by default for data being transmitted to and from the PassKit Service (data in transit). Data at rest is encrypted using AES256 encryption.
PassKit Service web application requires unique emails per customer account. User passwords are stored in an industry standard key derivation function based cryptographic hash format. User sessions can either be the length of the browser/tab, or two weeks. All sessions for a user can be closed via the web user interface security panel. All connections are secured with TLS.
Customers are responsible for managing their own accounts, including provisioning and de-provisioning their own users once PassKit provides the initial log-in credentials.
Restrict access to Customer Data only to those Personnel who have a need to know or otherwise access the Customer Data to enable PassKit to perform its obligations under the Agreement, provided that those Personnel are bound in writing by obligations of confidentiality sufficient to protect the Customer Data in accordance with requirements herein.
PassKit will maintain a disciplinary process to address any unauthorized access, use or disclosure of Customer Data. PassKit shall not engage any sub-contractor to perform any part of the agreement unless prior written consent is obtained from Customer. In the event a sub-contractor is engaged, such sub-contractor shall be bound by the obligations set forth under this agreement.
PassKit will use industry standard mechanisms for data transmission. These may include:
For all message-based encryption schemes employing digital signatures (including PGP and S/MIME), PassKit will verify the digital signature of the message and reject messages with invalid signatures.
For all encryption schemes employing public key cryptography, PassKit will ensure the confidentiality of the private component of the public-private key pair, and will notify Customer in the event that the private key is compromised.
In general, the mechanism choice will depend on a number of factors such as technical capability, transaction volume, latency requirements, availability requirements, in each case as determined in PassKit's sole discretion.
PassKit protects the Service through a robust data backup and recovery plan that includes daily incremental and full backups (depending on the specific service). These plans are reviewed and tested annually or when any major business change occurs.
In the event of a Security Breach impacting Customer Data or any abnormality noted or possible accidental or unauthorized access to Customer Data, PassKit shall:
In any notification to Customer, PassKit shall:
PassKit agrees to fully cooperate with Customer and any law enforcement or regulatory official in connection with any Security Breach, including without limitation any investigation, reporting or other obligations required by Applicable Law, as well as any dispute, inquiry or claim concerning the Security Breach. Unless prohibited by Applicable Law, Customer shall make the final decision on notifying affected third parties of such Security Breach and the implementation of any remediation plan. For purposes of this subsection, "Security Breach" includes, but is not limited to: