Trust & Compliance
Security & Data Protection
FidiPerks is built and operated in Australia. We take the security of merchant and customer data seriously and comply with applicable Australian privacy law. This page summarises our security posture and is intended for enterprise procurement, IT reviewers, and privacy officers evaluating FidiPerks for integration.
Last updated:Australian Privacy Act 1988
FidiPerks complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Specifically:
- We collect only the personal information necessary to operate the loyalty platform (APP 3).
- We use and disclose personal information only for the purpose for which it was collected, or a directly related purpose (APP 6).
- We maintain a clearly accessible Privacy Policy explaining how data is collected, used, and disclosed (APP 1 & APP 5).
- Individuals may request access to, or correction of, their personal information at any time (APP 12 & APP 13).
- We do not sell personal data to third parties for marketing purposes.
For the full detail of how we handle personal information, see our Privacy Policy.
Data Residency
All production data — including merchant profiles, customer loyalty records, transaction history, and analytics — is stored and processed in Australia. We do not transfer production data offshore except where required to provide specific third-party integrations (e.g. payment processing), which are governed by their own data processing agreements.
| Data Category | Storage Location | Retention |
|---|---|---|
| Merchant account data | Australia | Duration of contract + 7 years |
| Customer loyalty records | Australia | Duration of merchant account |
| Transaction history | Australia | 7 years (financial records) |
| Analytics & usage data | Australia | 2 years rolling |
| Support communications | Australia | 3 years |
Encryption & Transport Security
- In transit: All communications between clients and FidiPerks servers are encrypted with TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS.
- At rest: Customer and merchant data is encrypted at rest using industry-standard AES-256 encryption.
- Passwords: User passwords are hashed using a modern adaptive hashing algorithm (bcrypt). Plaintext passwords are never stored.
- API tokens: Bearer tokens are short-lived and rotated on re-authentication. Secrets are stored in environment-isolated secure vaults, never in source code.
Access Control
- Merchant data is strictly isolated by tenant — one merchant cannot access another merchant's data through the API.
- Admin and staff roles within a merchant account are enforced at the API level, not just the UI.
- Internal FidiPerks staff access to production data is limited to authorised personnel and is logged.
- Multi-factor authentication (MFA) is available and recommended for merchant admin accounts.
Incident Response & Breach Notification
In the event of a data breach or security incident, FidiPerks follows a documented incident response procedure:
- Detection: Automated alerting monitors for anomalous access patterns and system errors 24/7.
- Containment: Affected systems are isolated within hours of a confirmed incident.
- Notification: If a breach is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals within 30 days of becoming aware of the breach, in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988.
- Post-incident review: A root-cause analysis is conducted within 14 days and remediation actions are tracked to completion.
Key Sub-processors
FidiPerks uses a limited set of trusted third-party services to deliver the platform. Each is subject to data processing agreements and appropriate security assessments.
| Provider | Purpose | Data Shared |
|---|---|---|
| Cloud infrastructure provider | Hosting & storage | All application data (Australia region) |
| Payment processor (Stripe) | Subscription billing | Merchant billing details only |
| Transactional email provider | System & notification emails | Email address, notification content |
| Push notification provider | App push notifications | Device tokens, notification payload |
Enterprise customers may request the full sub-processor list and associated DPAs by contacting support@fidiperks.com.
Responsible Disclosure Policy
If you discover a potential security vulnerability in FidiPerks, we ask that you report it to us privately before public disclosure, giving us a reasonable opportunity to investigate and remediate.
Report a vulnerability:
Email security@fidiperks.com with a description of the vulnerability, steps to reproduce, and potential impact.
We aim to acknowledge receipt within 2 business days and provide a status update within 10 business days. We will not take legal action against good-faith security researchers who follow this policy.
Enterprise & Procurement Enquiries
If you are evaluating FidiPerks for an enterprise deployment or integration and require additional documentation — such as a Data Processing Agreement (DPA), a completed vendor security questionnaire, or evidence of specific controls — please reach out directly.
Enterprise security enquiries: support@fidiperks.com
We typically respond to enterprise security questionnaires within 5 business days.