Skip to main content

Data protection, security & infrastructure

About your data, what we do with it & where it lives

Updated: May 14, 2018

Punchpass hosts data from both our clients, as well as their customers. We take this responsibility seriously, not just because it’s the law, but because it’s how we would want our data handled. Below are more details about how we handle your data to keep it safe and secure.

When you close your account, it’s gone in 60 days

After 60 days cancelled client data is removed from our systems. Punchpass provides tools to help clients get their data out of Punchpass should they choose to – we believe it’s your data.

We do not sell data

Call us old-school, but we make money by charging our clients a monthly fee. We do not, under any circumstances, ever sell data to 3rd party services for marketing or any purpose.

We send data to 3rd party services to run Punchpass

Any modern web application uses a number of different specialized applications in order to serve their customers, and we are no different. For example we use Intercom for customer support, Rollbar for error tracking, Stripe to process credit card payments, and Postmark to send transactional emails. Our service is hosted on Heroku/Amazon Web Services (more info below.)

These services help Punchpass run more reliably, efficiently, and safely. We strongly believe that using best-in-class services makes your data safer and more secure.

We leave our infrastructure to the experts

Punchpass is hosted on Heroku, which runs on Amazon Web Services (AWS.) AWS has become the gold standard in cloud infrastructure hosting, allowing Punchpass to scale globally. More information can be found at the AWS Security Center.

Backups are kept for one year

Currently our logs and backups are kept for one year and then deleted automatically. We are exploring ways to reduce the amount of time these are kept, while also making sure we keep the security of our existing customers in mind.

SSL everywhere

All Punchpass applications and communication use SSL, which creates a secure connection and keeps data safe.

We don’t handle or store credit card data

All payment processing is handled by Stripe, a certified Level 1 PCI Service Provider (the most stringent level of certification available). Any credit card data is submitted directly to Stripe via JavaScript over a secure SSL connection. The payment data never touches our servers.

Prompt disclosure of any security issues

We will quickly investigate any reported security issues. If you’ve discovered a security bug, please send an email to We will try to respond within 24 hours and request that you not publicly disclose the issue until we can address it.

GDPR specific concerns

For specific concerns regarding GDPR visit our Privacy Policy

Specific questions? Please contact us at and we’ll get right back to you.