How Tremendous handles security
By Aaron Small|5 min read|Updated Oct 9, 2024
Tremendous protects your information and money behind layers and layers of security barriers. You're sending dozens or thousands of rewards and incentives across the world. You want peace of mind in the process.
We designed every facet of our platform – product features, infrastructure, and internal processes — with the express purpose of keeping sensitive information safe.
Below is a breakdown of how we protect your account.
Product Security
It's your data. You decide who sees it. Tremendous gives you the tools to control data access, order approvals, and account takeover prevention.
Zero-trust architecture for sensitive data
We one-way encrypt sensitive data, like reward links and API keys. Even we can't access them once they're created. Only you, the data owner, have the keys to unlock the vault.
Access controls
You can set role-based permissions to control who can do what with your account. Role-based permissions (RBP) give specific individuals access to certain features, workspaces, or actions while blocking them from others. RBP also allows companies to create multiple roles, and doesn't require them to manage permissions when new users are hired, or when they leave.
Login protections
If our system observes unfamiliar login attempts from an unrecognized device or location, it prompts an extra email verification step to confirm user identity. This added checkpoint helps stop suspicious activity.
Multi-Factor Authentication
We require Multi-Factor Authentication (MFA) for everyone on your team using our platform. MFA requires users to provide at least two verification factors to gain access.
Single sign-on support
Tremendous supports SAML 2.0 protocol to authenticate users via external identity providers, like Gmail and Okta. This integration simplifies the login process and reduces the number of passwords you and your team need to remember.
Audit logs
Audit logs record every action taken within your account. These logs create an extensive trail that tracks who did what and when. Think of it as a Ring security camera that captures all activity happening on your account.
Order approvals
Say you’re delivering a mix of low-level and high-priced payouts in a reward campaign. You can set custom parameters that require admin approval for specific actions. This step gives you a second look before you confirm and send with absolute confidence.
Webhook signatures
We sign messages with a secret signature to confirm they haven’t been altered during transmission. This extra layer verifies that no tampering takes place.
Process Security
Maintaining high security standards requires regular assessments. We continually conduct testing with third parties to identify and address any potential vulnerabilities.
Internal multi-factor authentication
We require Tremendous employees to use MFA to access our systems.
SOC 2 Type II Compliant
SOC 2 is a voluntary compliance standard for service organizations. The standard is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. We are happy to share our SOC 2 Type II reports and attestations with customers and provide you with an in-depth look at how we manage data.
Vulnerability scans
As part of SOC 2 compliance, we invite a leading security solution to identify any potential weaknesses across our platform. This approach helps us stop any potential harm before it happens.
Penetration tests
These tests are run by ethical third parties who flag any vulnerabilities or security gaps they may find. If you’d like to know how we score, ask our team for our most recent penetration test results.
Infrastructure Security
The cornerstone of our security strategy is our infrastructure. We protect personally identifiable information (PII) with bank-level encryption systems.
Data encryption at all times
We use heavy encryption configurations to make your data unreadable and secure if intercepted. This applies to data saved on our systems, known as data at rest, and data that travels the network, also called data in transit.
Continuous data backups
Our backup and recovery system guarantees that your data remains secure and accessible at all times.
Environment segregation
Our team builds and tests new features in sandbox environments. This is an entirely separate workspace from our live production environments. These important boundaries mean that any new updates or tools we’re working on won’t affect your live data or dashboard until they’re fully tested and ready for deployment.
DDoS protection
Our system shields against denial-of-service attacks, where hackers try to overwhelm systems with enormous traffic, exhaust the application, and take them offline or make it unavailable to legitimate users. Our security configurations keep operations running smoothly.
Fraud Prevention
Customize your fraud controls
You can create and toggle specific fraud control rules to detect suspicious activity based on IP address, country, redemption amount, and more.
Catch fraudsters who cycle through identities
We detect and flag fraudsters who attempt to disguise themselves using VPNs or multiple email addresses.
Flag and review rewards
Our system holds suspicious rewards for your review, so you can be confident before blocking them from going through.
Together we fight fraud
There's safety in numbers. Our AI detects suspicious activity using payouts data across the more than 10,000 companies in the Tremendous network.
Chat with our team to learn more about how your security measures and fraud protections work.
Updated October 9, 2024