Skip to main content
VoucherGrid is built with security at every layer. Here’s how we protect your business and your customers’ data.

Authentication

Sign-in methods

  • Email and password – passwords must be at least 10 characters
  • Google – sign in with your Google account
  • Apple – sign in with your Apple ID
  • Passkeys – passwordless biometric authentication (Touch ID, Face ID, or security keys)

Password security

  • Passwords are hashed using a modern adaptive algorithm (scrypt) before storage – we never store plain text passwords
  • New passwords are checked against the Have I Been Pwned breach database to prevent use of compromised passwords
  • Account lockout triggers after repeated failed login attempts

Two-factor authentication (2FA)

Two methods are available:
  • Email OTP – a one-time code sent to your email (valid for 10 minutes)
  • Authenticator app (TOTP) – time-based codes via apps like Google Authenticator or Authy
Backup codes are provided when you enable 2FA. You can also mark devices as trusted to skip 2FA for 30 days.
We recommend enabling 2FA for all team members, especially Owners and Admins.

Data encryption

In transit

  • All connections use HTTPS (TLS)
  • Database connections use SSL with certificate verification
  • Redis connections use TLS

At rest

  • Integration credentials (Xero, QuickBooks) are encrypted with AES-128 using a versioned keyring
  • OAuth tokens are stored encrypted
  • 2FA secrets are stored encrypted
  • Personal information (email, name, phone) uses a dedicated encryption key separate from other data
  • API keys are stored as one-way hashes – the plaintext key is shown only once when generated

Data isolation

Every query is scoped by your account. Your data is completely isolated from other VoucherGrid accounts:
  • Account ID is resolved from your authenticated session – it’s never accepted from request parameters
  • Background jobs receive account context explicitly
  • Team members with location restrictions can only access data from their assigned locations

Audit logging

Every significant action is recorded in an append-only audit log:
  • Voucher events – created, redeemed, voided, refunded, expired
  • Authentication – logins, logouts, password changes, 2FA events
  • Team changes – invites, role changes, removals
  • Settings and integration changes
  • Billing events
The audit log uses a cryptographic chain so that any tampering with entries can be detected. Email addresses in the log are stored in masked form. Default retention is 3 years. Logs can be exported from the Reports page.

Payment security

VoucherGrid uses Stripe for all payment processing. Card details are entered directly into Stripe’s secure payment form – they never touch VoucherGrid’s servers. This qualifies us for PCI DSS SAQ-A, the simplest compliance level.

Data privacy

Your rights

  • Export your data – Owners can export all account data at any time
  • Delete your account – account deletion removes all data, including files stored in cloud storage
  • Data retention – after account cancellation, access continues through the grace period, then account access locks; customer personal information is anonymised where appropriate, and voucher and financial records are retained as legally required

Customer rights (GDPR)

Gift voucher buyers can:
  • Request a copy of their personal data
  • Request deletion of their personal data
These requests are handled through a verified process with a 48-hour download link.

Hosting

ServiceProviderRegion
API and databaseRenderOregon, US
FrontendVercelSydney, Australia
File storageCloudflare R2Global CDN

Compliance

StandardStatus
PCI DSS SAQ-ACard data handled entirely by Stripe
GDPRData subject access requests and right to erasure supported
Australian Consumer LawBuilt around Australian voucher expiry rules
Australian GSTReporting built around cash and non-cash accounting methods