Security

This document provides details on security features of PassKit's Software as a Service application ("Service") and overall security & data measures. It addresses the most common concerns customers have about security and privacy.

Security Overview

PassKit shall (a) establish and maintain industry standard technical and organizational measures designed to protect against (i) accidental damage to, or destruction, loss, or alteration of, Customer Data and (ii) unauthorized access to the Customer Data; and (b) establish and maintain industry standard network and internet security procedures, protocols, security gateways and firewalls with respect to the Hosted Service.

Product Overview

PassKit's comprehensive engagement tools fuel some of the world's most successful mobile applications and campaigns: powering mobile wallet programs, O2O engagement strategies, sophisticated audience targeting, and mobile analytics.

Data Collection and Management

Data Collected

PassKit customers access and use the Service to engage with users of their mobile wallet / passes. The timing, method, and content of such engagements using the PassKit Service is at the sole control of our customers. In addition, in order to provide intelligent insights to our customers about their mobile marketing programs and engagements, the PassKit Service collects, processes, and stores data about customers' user activity data.

Privacy and Confidentiality

PassKit is committed to providing transparency and supporting necessary levels of consent in our privacy practices. PassKit collects, processes, and uses information via the Service on behalf of our customers, in accordance with the agreement in place between PassKit and the specific customer. With respect to customer data, PassKit acts as the data processor and our customer remains the data controller.

PassKit classifies all customer data as restricted confidential and access to customer data is actively managed and reviewed.

More information on our privacy policy is available at: https://passkit.com/legal/privacy-statement/.

Data Protection

Data on the Service is protected both at rest and in transit. At rest, PassKit employs robust controls and tools to manage access to stored data including, but not limited to: activity logging, web access controls, and Web Application Firewall (WAF.)

TLS encryption is required and enabled by default for data being transmitted to and from the PassKit Service (data in transit). Data at rest is encrypted using AES256 encryption.

Security Policy Overview

Basic Security Requirements

  • Keep security patches up-to-date.
  • Assign a unique ID to each person with computer access to data to individual records and in-bulk.
  • Track access to data, individual records and in-bulk, by unique ID.
  • Regularly test security systems and processes.
  • Restrict physical access to systems containing customer information.
  • Restrict remote access to the entire network and employ remote access controls to verify the identity of users connecting.
  • Protect on-site and off-site backups from unauthorized access during transit and storage.
  • PassKit shall ensure that its staff is aware of their obligations in relation to confidentiality and data protection as set forth in this agreement.
  • PassKit shall have robust backup systems in place to guard against any data corruption or loss.

User Management

PassKit Service web application requires unique emails per customer account. User passwords are stored in an industry standard key derivation function based cryptographic hash format. User sessions can either be the length of the browser/tab, or two weeks. All sessions for a user can be closed via the web user interface security panel. All connections are secured with TLS.

Customers are responsible for managing their own accounts, including provisioning and de-provisioning their own users once PassKit provides the initial log-in credentials.

Access Limitations

Restrict access to Customer Data only to those Personnel who have a need to know or otherwise access the Customer Data to enable PassKit to perform its obligations under the Agreement, provided that those Personnel are bound in writing by obligations of confidentiality sufficient to protect the Customer Data in accordance with requirements herein.

PassKit will maintain a disciplinary process to address any unauthorized access, use or disclosure of Customer Data. PassKit shall not engage any sub-contractor to perform any part of the agreement unless prior written consent is obtained from Customer. In the event a sub-contractor is engaged, such sub-contractor shall be bound by the obligations set forth under this agreement.

Data Transmission

PassKit will use industry standard mechanisms for data transmission. These may include:

  • JSON/XML/HTTP over SSL, with certificate-based authentication utilizing a 1024-bit (or larger) RSA public key, and 128-bit (or stronger) symmetric encryption.
  • Digitally signed and encrypted S/MIME messages over HTTP or SMTP, using certificates with a 2048-bit (or larger) RSA public key, and 256-bit (or stronger) symmetric encryption.

For all message-based encryption schemes employing digital signatures (including PGP and S/MIME), PassKit will verify the digital signature of the message and reject messages with invalid signatures.

For all encryption schemes employing public key cryptography, PassKit will ensure the confidentiality of the private component of the public-private key pair, and will notify Customer in the event that the private key is compromised.

In general, the mechanism choice will depend on a number of factors such as technical capability, transaction volume, latency requirements, availability requirements, in each case as determined in PassKit's sole discretion.

Data Backup and Recovery

PassKit protects the Service through a robust data backup and recovery plan that includes daily incremental and full backups (depending on the specific service). These plans are reviewed and tested annually or when any major business change occurs.

Security Breach

In the event of a Security Breach impacting Customer Data or any abnormality noted or possible accidental or unauthorized access to Customer Data, PassKit shall:

  • (a) take immediate steps to remedy the breach;
  • (b) notify Customer as soon as is practicable; and
  • (c) take any other prompt actions to ensure that such Security Breach or potential Security Breach will not recur.

In any notification to Customer, PassKit shall:

  • (a) provide a description of the incident, the data accessed, the identity of affected third parties, if any, and such other relevant information determined by PassKit, and
  • (b) designate a single individual as a point of contact for Customer.

PassKit agrees to fully cooperate with Customer and any law enforcement or regulatory official in connection with any Security Breach, including without limitation any investigation, reporting or other obligations required by Applicable Law, as well as any dispute, inquiry or claim concerning the Security Breach. Unless prohibited by Applicable Law, Customer shall make the final decision on notifying affected third parties of such Security Breach and the implementation of any remediation plan. For purposes of this subsection, "Security Breach" includes, but is not limited to:

  • (a) intrusion or hacking into a computing system on which Customer Data is maintained;
  • (b) loss or theft of a computer, mobile device, hard drive, other information storage device, or printed materials which contain Customer Data;
  • (c) the use, misuse, acquisition, compromise or disclosure of, or unauthorized access to, Customer Data; or
  • (d) any circumstance pursuant to which Applicable Law requires notification of such breach to be given to affected parties.