1. Introduction

At BlinkSwag, we are committed to the confidentiality, integrity, and availability of customer data. This Security & Compliance Policy outlines our layered approach to safeguarding data, mitigating risks, and maintaining the trust of our clients. BlinkSwag enables businesses to send branded swag, digital rewards, and employee experiences via a secure, scalable platform hosted on AWS.

We integrate with enterprise-grade platforms such as Zoho for CRM, finance, and operations, and Finch for HRIS connectivity. These integrations form a shared responsibility model, further enhancing the security posture of our operations.

2. Core Security Principles

• Defense in Depth: Multi-layered protection across application, infrastructure, and access levels.
• Least Privilege: Minimum access required for role-specific tasks.
• Separation of Duties: Distributed control to reduce risk.
• Risk-Based Security: Prioritizing efforts based on threat intelligence and impact.
• Transparency: Clear delineation of internal and third-party responsibilities.

3. Compliance & Shared Responsibility

BlinkSwag relies on a network of trusted, compliant platforms:

• Zoho: SOC 2 Type II, ISO 27001, GDPR, HIPAA compliant.
• Finch (HRIS aggregator): SOC 2 Type II, OAuth 2.0 security, encrypted data handling.
• Stripe: SOC 2, SOC 3, PCI, and NIST compliant
• AWS Hosting: Supports ISO 27001, SOC 1/2/3, PCI DSS, and FedRAMP.

While BlinkSwag does not hold its own certifications, our architecture aligns with best practices and leverages third-party certified services.
You can view our partners’ compliance certificates by visiting the link below

https://workdrive.zohoexternal.com/external/a301a14935be044076a0ed9ae327f84785632e51c32bfd234292cdcd3d54f2d3

4. People Security

• Background Checks: Required for all employees.
• Training & Education: Mandatory onboarding and annual security training.
• Access Controls: Role-based access managed via Zoho.
• Endpoint Protection: All company devices are encrypted and equipped with EDR, antivirus, and insider risk detection.

5. Product & Application Security

• Change Management: All changes follow a documented, auditable workflow.
• Penetration Testing: Conducted annually by third-party security firms.
• Monitoring: Application-level WAFs and automated threat detection.
• Consent Management: Explicit user consent is required when accessing HRIS data via Finch.

6. Data Security

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Data Classification: Segregated into public, confidential, and highly restricted.
• Multi-Tenant Segregation: Logical separation of client data.
• Access Logs: Full auditing of user and system access.

7. Infrastructure Security

• Cloud Security (AWS): Infrastructure hardened using AWS best practices.
• Production Access: SSH access is restricted via bastion host, IP whitelisting, and SSH keys.
• Patching & Updates: Automated and manual patching protocols.
• Asset Inventory: Full documentation of all cloud assets.

8. Incident Response

• 24/7 Monitoring: Real-time alerting and triage processes.
• Incident Playbook: Documented roles and workflows for breach management.
• Responsible Disclosure: security@blinkswag.com for external reporting.

9. Business Continuity & Disaster Recovery

• Backups: Daily encrypted backups across zones.
• Availability Zones: Multi-region redundancy.
• DR Testing: Simulated bi-annual disaster recovery drills.

10. Document Governance

• Retention Policy: Financials (7 yrs), Employee files (5 yrs post-employment), Customer data (5 yrs post-transaction).
• Storage: Encrypted digital storage; secure physical vaults.
• Notarization: Legal documents notarized and recorded (name, date, seal).
• Managed in Zoho: All lifecycle stages are tracked in Zoho document management tools.

11. Operational Process Controls

• Documented Flowcharts: Service delivery processes are visually mapped.
• CRM & ERP Integration: Customer interactions and orders managed in Zoho.
• Quality Assurance: Each order passes QMS checks.
• Employee Training: New hires are trained on SOPs and process flow charts.

12. Customer Data Collection and Usage

At BlinkSwag, we’re committed to transparency about the data we handle. To ensure your orders are fulfilled accurately and efficiently, and that you stay informed about their status, we collect essential customer data for our order processing function. This includes:

• Customer Name
• Customer Email
• Customer Phone Number
• Customer Shipping Address

This information is securely processed through our Zoho Applications, which manage everything from order creation to shipping.

When it comes to online payments, we partner with Stripe, a trusted and secure payment processor. BlinkSwag never stores your credit card details directly. All payment information is securely handled and managed directly by Stripe’s integrated services over an encrypted connection, giving you peace of mind.

For seamless user onboarding, we leverage Finch, an HRIS aggregator. We want to be clear: BlinkSwag does not record or share any Personal Identifiable Information (PII) obtained through Finch. The data we receive from Finch is solely used to automate swag sending based on the specific criteria your organization selects. Importantly, we only access this information with your explicit pre-approval when you connect your HR system through Finch.

It’s important to understand that customer data, in these contexts, is primarily managed by Zoho, Finch, and Stripe. BlinkSwag’s role is to provide the secure application infrastructure, ensuring your data is securely transmitted to these trusted platforms. Our entire application environment is hosted on AWS Cloud services, which are recognized globally for their leading security standards in hosting and data transmission. For your peace of mind, we also ensure secure login for our application users, supporting industry-standard OAuth 2.0 and Single Sign-On (SSO) implementations like ‘Sign In with Google’

13. Contact & Further Information

For questions about BlinkSwag’s security practices, or to request additional documentation: security@blinkswag.com