Skip to main content

Data Protection, Security & Infrastructure

About your data, what we do with it & where it lives

Updated: January 31, 2024

Punchpass hosts data from both our clients, as well as their customers. We take this responsibility seriously, not just because it’s the law, but because it’s how we would want our data handled. Below are more details about how we handle your data to keep it safe and secure.

Your data is your data

Punchpass provides tools to help clients get their data out of Punchpass should they choose to – we believe it’s your data. We never charge a fee to download any of your data.

Data may remain on Punchpass

Your data may continue to reside on our servers after your account has canceled/expired for our own internal reporting purposes only. The account owner may request to have all of your company data removed at any time.

We do NOT sell data

Call us old-school, but we make money by charging our clients a monthly fee. We do not, under any circumstances, ever sell data to 3rd party services for marketing or any purpose.

We DO send data to 3rd party services to run Punchpass

Any modern web application uses a number of different specialized applications in order to serve their customers, and we are no different. For example we use Intercom for customer support, Honeybadger & Datadog for error tracking, Stripe to process credit card payments, and Postmark to send transactional emails. Our service is hosted on Heroku/Amazon Web Services (more info below.)

These services help Punchpass run more reliably, efficiently, and safely. We strongly believe that using best-in-class services makes your data safer and more secure.

We leave our infrastructure to the experts

Punchpass is hosted on Heroku, which runs on Amazon Web Services (AWS.) AWS has become the gold standard in cloud infrastructure hosting, allowing Punchpass to scale globally. More information can be found at the AWS Security Center.

Backups are kept for one year

Currently our logs and backups are kept for one year and then deleted automatically.

SSL everywhere

All Punchpass applications and communication use SSL, which creates a secure connection and keeps data safe.

We don’t handle or store credit card data

All payment processing is handled by Stripe, a certified Level 1 PCI Service Provider (the most stringent level of certification available). Any credit card data is submitted directly to Stripe via JavaScript over a secure SSL connection. The payment data never touches our servers.

Prompt disclosure of any security issues

We will quickly investigate any reported security issues. If you’ve discovered a security bug, please send an email to We will try to respond within 24 hours and request that you not publicly disclose the issue until we can address it.

GDPR specific concerns

For specific concerns regarding GDPR visit our Privacy Policy

Specific questions? Please contact us at and we’ll get right back to you.