Trust & Security Center

← Back to Home

1. Overview

At SavevyCoupons, security and trust are foundational to everything we build. Our platform handles sensitive coupon data, loyalty balances, and customer information for over 1,200 retail brands. We treat this responsibility with the seriousness it demands — investing in robust infrastructure, rigorous access controls, and transparent operational practices.

This Trust & Security Center provides an in-depth look at how we protect your data, authenticate our communications, respond to incidents, and comply with privacy regulations.

2. Security Practices

Access Controls

• Role-based access control (RBAC) across all platform components. Permissions are assigned based on job function and follow the principle of least privilege
• Multi-factor authentication (MFA) required for all employee accounts, administrative panels, and API key management
• Employee access is reviewed quarterly and immediately revoked upon role change or departure
• Production database access is restricted to senior engineering leads and requires MFA + VPN + time-limited session tokens

Data Protection

• Encryption in transit (TLS 1.3) and at rest (AES-256) for all data stores
• Sensitive fields (email addresses, billing details) are additionally encrypted at the application layer
• Database backups are encrypted and stored in a geographically separate AWS region
• Data deletion requests are processed within 30 days, with confirmation provided to the requestor

Application Security

• Automated static analysis (SAST) and dependency scanning integrated into our CI/CD pipeline
• Annual penetration testing conducted by independent security consultants
• OWASP Top 10 mitigations implemented across all web-facing components
• Content Security Policy (CSP), X-Frame-Options, and other security headers enforced

3. Infrastructure Details

Cloud Hosting

Our primary infrastructure runs on Amazon Web Services (AWS) in the us-west-2 (Oregon) region. We use multi-AZ deployment for high availability:

• Compute: Auto-scaling EC2 instances behind Application Load Balancers
• Database: Amazon RDS for PostgreSQL with Multi-AZ failover and automated daily backups
• Storage: Amazon S3 with server-side encryption and versioning for coupon assets and reports
• CDN: CloudFront for static asset delivery with edge caching

Email Delivery

• Provider: Mailgun (Sinch) — dedicated IP address for transactional email delivery
• Average daily volume: ~8,500 transactional emails
• Complaint rate: Consistently below 0.03%
• Bounce rate: Maintained under 1.5%
• Authentication: SPF + DKIM (2048-bit) + DMARC (p=reject)
• Suppression management: Global suppression list enforced across all tenant accounts

4. Email Practices (Detailed)

Recipient Verification

Every end-customer email address undergoes verification during loyalty program enrollment. Unverified addresses never receive transactional messages. Merchants cannot manually add email addresses without the end-customer completing a confirmation step.

Suppression List Management

We maintain a centralized, cross-tenant suppression list. Email addresses are added to the suppression list upon:

• Hard bounce (permanent delivery failure)
• ISP complaint via feedback loop
• Manual unsubscribe request from recipient
• Abuse report received at abuse@savevycoupons.com

Suppressed addresses are never re-activated unless the recipient explicitly re-enrolls and completes email verification.

Bounce & Complaint Workflows

• Hard bounces: Immediately suppress the address. Merchant notified within 1 hour
• Soft bounces: Retry with exponential backoff (max 3 attempts over 24 hours). If all retries fail, the address is reviewed for potential suppression
• Complaints: Address immediately suppressed. Merchant notified and required to review their recipient list hygiene. Repeated elevated complaint rates trigger account review

Feedback Loop (FBL) Monitoring

We subscribe to feedback loops from all major ISPs including Yahoo/AOL, Outlook/Hotmail, and other participating providers. Complaint signals are processed within minutes and trigger automatic suppression and merchant notification.

Rate Limiting & Anomaly Detection

Each tenant account has a configurable daily sending quota. If a merchant attempts to send beyond their allocated limit, sending is paused. Volume anomalies (e.g., an account suddenly sending 5× its normal daily volume) trigger automatic suspension and manual review by our operations team.

RBAC for Email Sending

Only authorized roles (Account Owner, Admin) can modify email templates, notification rules, or sending configurations. API keys with sending permissions require explicit approval from the Account Owner. Changes to critical sending parameters require a secondary approval step.

Template & Configuration Approvals

Modifications to email templates (content, subject lines, sender name) are logged with the user, timestamp, and diff of changes. For enterprise-tier accounts, template changes require approval from a second authorized user before taking effect.

Audit Trail

• Email delivery logs retained for 90 days (timestamp, recipient domain, status, bounce/complaint codes)
• Access and authentication logs retained for 12 months
• Template and configuration change logs retained for 12 months
• All logs are stored in immutable, append-only storage

How to Report Abuse

If you receive an unwanted or suspicious email claiming to originate from SavevyCoupons, please report it to abuse@savevycoupons.com. We investigate all reports within 2 business days and take corrective action as described in our Acceptable Use Policy.

5. Incident Response

Our incident response process follows five phases:

1. Detection (0–15 minutes) — Automated monitoring triggers alerts. On-call engineer assesses severity
2. Containment (15–60 minutes) — Affected systems isolated. Immediate mitigation applied to prevent further impact
3. Investigation (1–24 hours) — Root cause analysis conducted. Forensic evidence preserved
4. Resolution (24–72 hours) — Permanent fix deployed. Systems restored to full operation
5. Post-Incident Review (within 5 business days) — Formal retrospective documenting root cause, impact, timeline, and preventive measures

For incidents involving personal data breaches, we notify affected data controllers within 72 hours as required by GDPR Article 33. Affected individuals are notified without undue delay when the breach poses a high risk to their rights and freedoms.

6. Logging & Audit Trail

• Email delivery logs: Retained for 90 days. Include timestamp, recipient domain (not full address in long-term storage), delivery status, and any error codes
• Application access logs: Retained for 12 months. Include user identity, action performed, timestamp, and source IP
• Change management logs: Retained for 12 months. Record all modifications to email templates, notification rules, access permissions, and system configurations
• Infrastructure logs: Retained for 6 months. Include system performance metrics, security events, and network activity

All logs are stored in immutable, append-only storage. Access to logs is restricted to authorized operations and security personnel via RBAC.

7. Compliance

SavevyCoupons is committed to compliance with the following regulatory frameworks:

• GDPR — General Data Protection Regulation (EU). Data Processing Agreements available upon request
• CCPA — California Consumer Privacy Act. We do not sell personal information
• CAN-SPAM Act — U.S. federal law regulating commercial email. All transactional messages comply with CAN-SPAM requirements, including accurate header information, physical address inclusion, and functional opt-out mechanisms
• CASL — Canada's Anti-Spam Legislation. Consent mechanisms and record-keeping compliant with CASL requirements

8. Responsible Disclosure

We welcome security researchers who help us keep our platform safe. If you discover a potential security vulnerability in SavevyCoupons, please report it to us responsibly:

• Contact: security@savevycoupons.com
• Acknowledgment: We will acknowledge receipt of your report within 48 hours
• Assessment: We will provide an initial severity assessment within 5 business days
• Resolution: We aim to resolve confirmed vulnerabilities within 30 days, depending on complexity
• Recognition: With your permission, we will credit you in our security advisories

Please refrain from publicly disclosing vulnerabilities until we have had a reasonable opportunity to investigate and remediate. Do not access, modify, or delete data belonging to other users during your testing.

9. Contact

For security-related questions, trust inquiries, or compliance documentation requests:

• Security: security@savevycoupons.com
• Privacy: privacy@savevycoupons.com
• General: info@savevycoupons.com
• Phone: +1 (408) 673-8142
• Address: SavevyCoupons Inc., 1401 Koll Circle, Suite 108, San Jose, CA 95112