Trust Center

Updated 29/01/2024


Welcome to Rewardful’s trust center. We are fully committed to protect your data, including the data of your team members, your customers and your affiliates. Use this trust center to learn about our security and privacy posture.

How does Rewardful work?

Rewardful’s ability to manage your affiliate program is based on three key components:

  1. A JavaScript tracking script that adds a cookie to visitors who are referred to your website
  2. Adding that cookie data to your Stripe customer records who are referred to your website
  3. Rewardful connects to your Stripe account in order to receive purchase data to see who was a referred customer

With these three components in place we can track which customers were referred by which affiliates and calculate what commissions are owed to those affiliates and so forth. 

Our responsibility to your data

We are very conscious of the fact that we are collecting, processing and storing very important data on behalf of our customers. We have responsibilities from two different perspectives. How we handle data depends on the context in which we've received this data:

1) Data controller

We store user data about our customers including things like your name and email address. In this context we have responsibilities as a data controller. If you’re a customer of our’s this means we collect things like your name, and email address. An example of how our responsibilities differ here is that as a data controller we can directly respond to data access and erasure requests.

2) Data processor

We store user data about your customers on your behalf, including things like their names, email addresses and in some cases information about the products they purchased from you. In this context we have responsibilities as a data processor. We have similar responsibilities as a data processor for your affiliates and their data in this context. An example of how our responsibilities differ here is that as a data processor we cannot directly respond to data access and erasure requests from a data subject. For example, if one of your affiliates asks us to delete their data, we must refer them on to the program manager.

How we handle your data

As a data controller and data processor it is important that we adhere to data protection best practices as outlined in data privacy frameworks including the GDPR, CCPA and others. This includes providing contractual assurances around how we handle your data, and outlining the technical measures we employ to protect your data, and the policies and procedures we will adhere to.


When you use Rewardful there are three important legal agreements that you may be agreeing to depending on the context, and so do we.

Technical and Organizational Measures

These are the measures that Rewardful employs to protect your data. Some of these measures are technical, including encrypting your data using SSL, and some are organizational measures like maintaining policies and procedures like an Access Control Policy or running Employee Privacy Training on a recurring basis.

With regards to our TOMs (technical and organizational measures) it is worth noting two things:

  1. Rewardful is a fully remote company with no physical offices
  2. Rewardful is a cloud based software provider using other cloud services for our infrastructure

These two points are important to note because it means we have limited physical exposure as we don’t manage our own physical infrastructure. Our full list of sub-processors can be found further down this page. Our application is hosted by Heroku (a subsidiary of Salesforce), and Heroku’s core infrastructure is hosted by Amazon Web Services. Amazon Web Services is the gold standard in cloud computing and adheres to industry best practices in data protection and data center security including the following certifications:

  • SOC 1/ISAE 3402, SOC 2, SOC 3
  • PCI DSS Level 1
  • ISO 9001, ISO 27001, ISO 27017, ISO 27018

For more information on Amazon Web Services and their security and compliance practices visit here.

Here is our full list of TOMS (technical and organizational measures) we employ to protect your data:

Rewardful TOMs


As a cloud software provider Rewardful uses a variety of cloud services to deliver our service to our customers. If any of these services are used to collect, process or store our customers’ data we will only work with vendors who provide us with a Data Processing Agreement, and that the vendor handles data in accordance with the GDPR and equivalent legislation.

Rewardful Sub-Processors

Data Protection Inquiries

For any inquiries around data protection, to request a signed Data Processing Agreement, or any questions about how we handle data protection, please email