Security & Data Protection

How we protect your affiliate and player data

A straight, no-jargon summary of how AffConnect360 handles security today, and what we’re building toward. We list what we have and what we don’t — we’d rather be honest than impressive.

TLS 1.3 in transit AES-256 at rest Role-based access GDPR-aligned SOC 2: planned

Where we are today Live

  • Encryption in transitAll traffic served over TLS 1.3 with HSTS. No plain HTTP endpoints.
  • Encryption at restDatabase and backups encrypted with AES-256. Disk-level encryption on all storage volumes.
  • Scoped API keysEach integration uses a unique key with explicit brand- and permission-scope. Keys can be rotated or revoked from the dashboard.
  • Role-based access controlPer-user roles (Admin, Brand Manager, Read-only, Affiliate). Users only see brands and reports they’re assigned to.
  • Audit loggingEvery login, plan change, payout export and API call is logged with user, timestamp and source IP.
  • HostingApplication hosted on [HOSTING_PROVIDER] in [REGION]. Production environment isolated from staging and dev.
  • BackupsEncrypted database backups every 24 hours, retained for [N] days. Tested restore procedure quarterly.
  • Account securityPassword hashing with bcrypt, account lockout on failed attempts, optional 2FA via authenticator app.
  • GDPR alignmentData Processing Addendum (DPA) available on request. EU-resident data stays in EU regions.
  • Vulnerability practiceDependencies monitored continuously. Security patches applied within 7 days of disclosure for high/critical CVEs.

What’s on the roadmap Planned

  • External penetration testThird-party pen test scheduled for [QUARTER YEAR]. Executive summary will be shareable under NDA.
  • SOC 2 Type IIWe have not engaged an auditor yet. Planned once we cross [CUSTOMER_THRESHOLD]. We will not claim "in progress" until the engagement letter is signed.
  • ISO 27001Under evaluation as a parallel track to SOC 2.
  • SSO & SCIMSAML/Okta SSO for the operator dashboard, requested most by groups with 10+ team members.
  • Bug bounty programCurrently we accept private disclosures via marketing@affconnect360.com. A formal bounty program follows the first pen test.
  • Public status pageReal-time uptime, scheduled maintenance and incident history at status.affconnect360.site.

Operational practices

Beyond the controls list, the way a small team operates matters as much as the certifications they hold. Here’s how we work.

Least-privilege by default

Engineers access production only when an incident or migration requires it, with time-boxed credentials. No standing root access.

Code review on every change

All production changes go through pull-request review. Database migrations require a second pair of eyes.

Secrets never in code

API keys and database credentials live in a secrets manager, not in source control or environment files committed to git.

Separate environments

Production, staging and development are fully isolated. Customer data never appears in non-production environments.

Incident response

If something goes wrong, we notify affected customers within 72 hours with what we know, what we’ve done, and what we’re still investigating.

Data deletion on request

Customers can export their full dataset and request permanent deletion at any time. Backups roll off within [N] days of deletion.

What we don’t have yet

Honest disclosure is part of being trustworthy. As of [CURRENT_MONTH YEAR], AffConnect360 does not hold:

SOC 2 Type I or Type II attestation · ISO 27001 certification · PCI-DSS certification (we do not store card data — payment processing is handled by your payout provider) · HIPAA compliance (not applicable to iGaming workflows).

If your procurement process requires any of these as a hard prerequisite today, we’re not a fit yet — and we’d rather tell you that up front than waste your week.

Need our DPA, security questionnaire response, or architecture overview?

We respond to vendor security questionnaires (SIG, CAIQ, custom) within 3 business days. We’ll send our Data Processing Addendum, hosting architecture summary and our standard responses on request.

Email marketing@affconnect360.com →

Reporting a vulnerability

If you believe you’ve found a security issue in AffConnect360, please email marketing@affconnect360.com with reproduction steps. We acknowledge reports within 48 hours and aim to remediate confirmed high/critical issues within 14 days. Please do not test against live customer accounts — we’ll provide a sandbox if you need one.

A note on company maturity. AffConnect360 is an early-stage iGaming platform. We’ve made deliberate choices about which security investments come first: encryption, access control, audit logging and operational discipline before formal certifications. As we grow, the certifications follow. We’d rather be honest about the order than market a checklist we haven’t earned.