Last Updated: April 2026
At Regulars Inc., we take the security and privacy of our customers' data seriously. We have implemented comprehensive security measures across our infrastructure, applications, and operational processes to protect your information and ensure the reliable operation of our loyalty platform. This page outlines our security practices, compliance efforts, and the resources available to report security concerns.
Regulars is built on Amazon Web Services (AWS), one of the world's most secure cloud platforms. AWS provides enterprise-grade physical security, including surveillance systems, access controls, and security personnel at all data centers. Our primary data center region is us-east-1 (Northern Virginia), with backup and disaster recovery capabilities across geographically diverse regions.
AWS data centers implement multiple layers of physical security, including controlled access with biometric authentication, 24/7 security personnel, surveillance systems, and environmental controls. Only authorized AWS employees with a legitimate business need are granted access to data center facilities. All access is logged and regularly audited.
Our network infrastructure is protected by enterprise-grade firewalls, intrusion detection systems, and distributed denial-of-service (DDoS) mitigation. All traffic between our infrastructure and customers is routed through secure channels with redundancy to prevent single points of failure. We maintain network segmentation to isolate sensitive systems and limit lateral movement in case of a breach.
All data transmitted between your device and Regulars servers is encrypted using TLS 1.2 (Transport Layer Security) or higher protocols. TLS encryption ensures that data cannot be intercepted or modified during transmission. We implement HSTS (HTTP Strict Transport Security) to prevent downgrade attacks and enforce secure connections.
Sensitive data stored in our databases and systems is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys), the industry standard for protecting data at rest. Encryption keys are managed securely and rotated regularly according to security best practices. Database backups are also encrypted to maintain security throughout the data lifecycle.
Encryption keys are managed using AWS Key Management Service (KMS), which provides secure key storage, rotation, and access controls. Keys are never logged, transmitted insecurely, or stored alongside encrypted data. Access to encryption keys is restricted to authorized systems and personnel with specific need-to-know requirements.
Regulars requires secure password authentication for all accounts. Passwords are hashed using industry-standard algorithms and are never stored or transmitted in plaintext. We support multi-factor authentication (MFA) to provide an additional layer of security, protecting accounts from unauthorized access even if passwords are compromised.
Access to customer data is strictly controlled through role-based access control (RBAC). Employees and systems only receive access to the minimum data necessary to perform their functions. Access is regularly reviewed and revoked when no longer needed. All access is logged for audit and monitoring purposes.
All API communications are authenticated and authorized through secure token-based mechanisms. API keys are issued securely and should be kept confidential. Tokens are short-lived and automatically expire to minimize the risk of unauthorized use. We monitor API activity for suspicious patterns and rate-limit requests to prevent abuse.
We are actively working toward SOC 2 Type II compliance, which requires comprehensive security controls over system design, implementation, and operational effectiveness. SOC 2 certification demonstrates our commitment to meeting industry standards for security, availability, processing integrity, confidentiality, and privacy. We expect to complete our initial SOC 2 Type II audit by the end of 2026.
Regulars adheres to industry best practices and standards, including NIST Cybersecurity Framework recommendations, OWASP (Open Web Application Security Project) guidelines, and CIS Controls. Our systems are designed to comply with applicable privacy regulations, including PIPEDA (Canada), Quebec Law 25, and GDPR (for international customers).
We conduct regular security audits and penetration testing by qualified third-party security firms to identify and address vulnerabilities. Security assessments are performed at least annually, with additional testing following significant system changes. We maintain detailed logs of all audit activities and remediation efforts.
Our systems are continuously monitored for security vulnerabilities using automated scanning tools and manual code review processes. We maintain an inventory of all systems and software components to ensure we are aware of potential vulnerabilities affecting our infrastructure.
Security patches and updates are applied promptly to all systems. Critical vulnerabilities are patched within 24 hours of release. All patching activities are logged and verified to ensure patches are successfully applied. We maintain a process for testing patches in non-production environments before deployment to production systems.
We actively monitor third-party libraries, frameworks, and dependencies for known security vulnerabilities. Automated tools scan our codebase for vulnerable dependencies and alert our development team to required updates. We maintain an inventory of all third-party software and monitor security advisories relevant to our stack.
Regulars maintains a comprehensive incident response plan that defines procedures for detecting, responding to, and recovering from security incidents. Our incident response team is trained to handle various scenarios and maintains on-call capabilities to respond to incidents outside business hours.
We employ continuous monitoring and logging to detect potential security breaches. In the event of a confirmed or suspected data breach, we will notify affected customers and regulatory authorities as required by law, typically within 48 hours of discovery. Notifications will include details of the breach, affected data, number of individuals impacted, and recommended mitigation steps.
Upon discovery of a security incident, we conduct a thorough forensic investigation to determine the scope, cause, and impact. We preserve evidence and logs necessary to understand what happened and prevent recurrence. Affected customers will receive detailed incident reports upon request.
All Regulars employees undergo background checks before employment. We verify work history, conduct reference checks, and screen for criminal history as permitted by law. Employees with access to customer data undergo enhanced background verification.
All employees receive security awareness training covering topics such as phishing detection, password security, data handling, and incident reporting. Training is conducted annually and supplemented with periodic security updates and reminders. New employees receive security training as part of their onboarding process.
All Regulars employees sign confidentiality and non-disclosure agreements that prohibit unauthorized disclosure of customer data or confidential business information. These agreements remain in effect during and after employment.
Security Researchers: If you discover a security vulnerability in Regulars, please report it responsibly to our security team rather than disclosing it publicly. We welcome security research and will work with you to investigate and address legitimate security concerns.
To report a security vulnerability, please send an email to security@regularspass.com with details of the vulnerability. Include a description of the issue, steps to reproduce it, and any supporting documentation or proof of concept. Please do not include sensitive customer data in your report.
We will acknowledge receipt of your security report within 24 hours. We will investigate the issue and provide an initial assessment within one week. For confirmed vulnerabilities, we will work on a fix and provide a timeline for remediation. We will keep you updated throughout the process and will credit you for responsible disclosure when the vulnerability is resolved, if you wish.
We practice responsible disclosure and request that security researchers avoid public disclosure of vulnerabilities until we have had time to develop and deploy a fix. We will work with you to determine an appropriate disclosure timeline and appreciate your cooperation in protecting the security of our platform and our customers' data.
All system activities, user actions, and security events are logged and stored securely. Logs include authentication attempts, data access, configuration changes, and system errors. Logs are retained for at least one year and are available for security audits and incident investigation.
We employ real-time security monitoring tools to detect suspicious activities, unauthorized access attempts, and other anomalies. Alerts are generated for security events requiring immediate attention, and our security team responds to alerts 24/7.
Security logs are regularly analyzed to identify trends, patterns, and potential threats. We conduct periodic log reviews to ensure monitoring controls are effective and to identify areas for improvement.
Customer data is automatically backed up multiple times daily with encryption and secure storage. Backups are stored redundantly across geographically separate regions to ensure data availability in case of a disaster. Backup systems are regularly tested to ensure data can be recovered quickly.
In the event of data loss or system failure, we are committed to restoring service within four hours. We maintain a disaster recovery plan that defines procedures for responding to various failure scenarios and regularly test our recovery capabilities.
We carefully evaluate the security practices of all third-party vendors and service providers that have access to customer data. Vendors must meet our security requirements and sign data protection agreements. We regularly audit vendor security practices and maintain oversight of all third-party processing activities.
We are continuously improving our security posture. Upcoming initiatives include achieving SOC 2 Type II certification by late 2026, implementing advanced threat detection using machine learning, enhancing our penetration testing program, and expanding our security certifications to meet customer requirements in regulated industries.
If you have questions about our security practices, need additional security documentation, or have concerns about the security of your data, please contact our security team:
Regulars Security Team
Email: security@regularspass.com
Address: Montreal, Quebec, Canada
We are committed to maintaining the highest standards of security and will respond to all security inquiries promptly. Your trust is essential to us, and we work diligently to protect the security and privacy of your data.