Trust & Compliance

Security & Data Protection

FidiPerks is built and operated in Australia. We take the security of merchant and customer data seriously and comply with applicable Australian privacy law. This page summarises our security posture and is intended for enterprise procurement, IT reviewers, and privacy officers evaluating FidiPerks for integration.

Last updated:
Australian Privacy Act 1988
HTTPS / TLS 1.2+
Data hosted in Australia
Encrypted at rest & in transit

Australian Privacy Act 1988

FidiPerks complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Specifically:

  • We collect only the personal information necessary to operate the loyalty platform (APP 3).
  • We use and disclose personal information only for the purpose for which it was collected, or a directly related purpose (APP 6).
  • We maintain a clearly accessible Privacy Policy explaining how data is collected, used, and disclosed (APP 1 & APP 5).
  • Individuals may request access to, or correction of, their personal information at any time (APP 12 & APP 13).
  • We do not sell personal data to third parties for marketing purposes.

For the full detail of how we handle personal information, see our Privacy Policy.

Data Residency

All production data — including merchant profiles, customer loyalty records, transaction history, and analytics — is stored and processed in Australia. We do not transfer production data offshore except where required to provide specific third-party integrations (e.g. payment processing), which are governed by their own data processing agreements.

Data Category Storage Location Retention
Merchant account data Australia Duration of contract + 7 years
Customer loyalty records Australia Duration of merchant account
Transaction history Australia 7 years (financial records)
Analytics & usage data Australia 2 years rolling
Support communications Australia 3 years

Encryption & Transport Security

  • In transit: All communications between clients and FidiPerks servers are encrypted with TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS.
  • At rest: Customer and merchant data is encrypted at rest using industry-standard AES-256 encryption.
  • Passwords: User passwords are hashed using a modern adaptive hashing algorithm (bcrypt). Plaintext passwords are never stored.
  • API tokens: Bearer tokens are short-lived and rotated on re-authentication. Secrets are stored in environment-isolated secure vaults, never in source code.

Access Control

  • Merchant data is strictly isolated by tenant — one merchant cannot access another merchant's data through the API.
  • Admin and staff roles within a merchant account are enforced at the API level, not just the UI.
  • Internal FidiPerks staff access to production data is limited to authorised personnel and is logged.
  • Multi-factor authentication (MFA) is available and recommended for merchant admin accounts.

Incident Response & Breach Notification

In the event of a data breach or security incident, FidiPerks follows a documented incident response procedure:

  • Detection: Automated alerting monitors for anomalous access patterns and system errors 24/7.
  • Containment: Affected systems are isolated within hours of a confirmed incident.
  • Notification: If a breach is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals within 30 days of becoming aware of the breach, in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988.
  • Post-incident review: A root-cause analysis is conducted within 14 days and remediation actions are tracked to completion.

Key Sub-processors

FidiPerks uses a limited set of trusted third-party services to deliver the platform. Each is subject to data processing agreements and appropriate security assessments.

Provider Purpose Data Shared
Cloud infrastructure provider Hosting & storage All application data (Australia region)
Payment processor (Stripe) Subscription billing Merchant billing details only
Transactional email provider System & notification emails Email address, notification content
Push notification provider App push notifications Device tokens, notification payload

Enterprise customers may request the full sub-processor list and associated DPAs by contacting support@fidiperks.com.

Responsible Disclosure Policy

If you discover a potential security vulnerability in FidiPerks, we ask that you report it to us privately before public disclosure, giving us a reasonable opportunity to investigate and remediate.

Report a vulnerability:

Email security@fidiperks.com with a description of the vulnerability, steps to reproduce, and potential impact.

We aim to acknowledge receipt within 2 business days and provide a status update within 10 business days. We will not take legal action against good-faith security researchers who follow this policy.

Enterprise & Procurement Enquiries

If you are evaluating FidiPerks for an enterprise deployment or integration and require additional documentation — such as a Data Processing Agreement (DPA), a completed vendor security questionnaire, or evidence of specific controls — please reach out directly.

Enterprise security enquiries: support@fidiperks.com

We typically respond to enterprise security questionnaires within 5 business days.