Blog / Tremendous

How Tremendous handles security

By Aaron Small|5 min read|Updated Jun 17, 2024

A key, a lock, and an incentive to represent security.

Tremendous protects your information and money behind layers and layers of security barriers. You're sending dozens or thousands of rewards and incentives across the world. You want peace of mind in the process. 

We designed every facet of our platform – product features, infrastructure, and internal processes — with the express purpose of keeping sensitive information safe.

Below is a breakdown of how we protect your account.

Product Security

It's your data. You decide who sees it. Tremendous gives you the tools to control data access, order approvals, and account takeover prevention.

Zero-trust architecture for sensitive data

We one-way encrypt sensitive data, like reward links and API keys. Even we can't access them once they're created. Only you, the data owner, have the keys to unlock the vault.

Access controls

You can set role-based permissions to control who can do what with your account. Role-based permissions (RBP) give specific individuals access to certain features, workspaces, or actions while blocking them from others. RBP also allows companies to create multiple roles, and doesn't require them to manage permissions when new users are hired, or when they leave. 

Login protections

If our system observes unfamiliar login attempts from an unrecognized device or location, it prompts an extra email verification step to confirm user identity. This added checkpoint helps stop suspicious activity.

Multi-Factor Authentication

We require Multi-Factor Authentication (MFA) for everyone on your team using our platform. MFA requires users to provide at least two verification factors to gain access.

Single sign-on support

Tremendous supports SAML 2.0 protocol to authenticate users via external identity providers, like Gmail and Okta. This integration simplifies the login process and reduces the number of passwords you and your team need to remember.

Audit logs

Audit logs record every action taken within your account. These logs create an extensive trail that tracks who did what and when. Think of it as a Ring security camera that captures all activity happening on your account.

Order approvals

Say you’re delivering a mix of low-level and high-priced payouts in a reward campaign. You can set custom parameters that require admin approval for specific actions. This step gives you a second look before you confirm and send with absolute confidence.

Webhook signatures

We sign messages with a secret signature to confirm they haven’t been altered during transmission. This extra layer verifies that no tampering takes place.

Process Security

Maintaining high security standards requires regular assessments. We continually conduct testing with third parties to identify and address any potential vulnerabilities.

Internal multi-factor authentication

We require Tremendous employees to use MFA to access our systems.

SOC 2 Type II Compliant

SOC 2 is a voluntary compliance standard for service organizations. The standard is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. We are happy to share our SOC 2 Type II reports and attestations with customers and provide you with an in-depth look at how we manage data.

Vulnerability scans

As part of SOC 2 compliance, we invite a leading security solution to identify any potential weaknesses across our platform. This approach helps us stop any potential harm before it happens.

Penetration tests

These tests are run by ethical third parties who flag any vulnerabilities or security gaps they may find. If you’d like to know how we score, ask our team for our most recent penetration test results.

Infrastructure Security

The cornerstone of our security strategy is our infrastructure. We protect personally identifiable information (PII) with bank-level encryption systems.

Data encryption at all times

We use heavy encryption configurations to make your data unreadable and secure if intercepted. This applies to data saved on our systems, known as data at rest, and data that travels the network, also called data in transit

Continuous data backups

Our backup and recovery system guarantees that your data remains secure and accessible at all times.

Environment segregation

Our team builds and tests new features in sandbox environments. This is an entirely separate workspace from our live production environments. These important boundaries mean that any new updates or tools we’re working on won’t affect your live data or dashboard until they’re fully tested and ready for deployment.

DDoS protection

Our system shields against denial-of-service attacks, where hackers try to overwhelm systems with enormous traffic, exhaust the application, and take them offline or make it unavailable to legitimate users. Our security configurations keep operations running smoothly.

Fraud Prevention

Customize your fraud controls

You can create and toggle specific fraud control rules to detect suspicious activity based on IP address, country, redemption amount, and more.

Catch fraudsters who cycle through identities

We detect and flag fraudsters who attempt to disguise themselves using VPNs or multiple email addresses.

Flag and review rewards

Our system holds suspicious rewards for your review, so you can be confident before blocking them from going through.

Together we fight fraud

There's safety in numbers. Our AI detects suspicious activity using payouts data across the more than 10,000 companies in the Tremendous network.

Chat with our team to learn more about how your security measures and fraud protections work.

Published June 17, 2024

Updated June 17, 2024

Share this article