At Reward Gateway, we take you and your data’s security seriously. We understand that you’ll want to be sure of this and expected you’d want to verify that our security and privacy practices meet accepted standards. This pack is intended to demonstrate this to you, and contains details of those practices. Wherever possible, it also includes the findings of the independent third-party providers we use to check on our operations.

Table of Contents

In this pack, you’ll find:



VSA Questionnaire 2020.xlsx

The completed VSA security questionnaire.

ISMS Policy – Version 2.7.pdf

Our Information Security Policy.

Client Due Diligence – UK – Version 9.7.pdf

Client Due Diligence document contains lots of valuable information on security testing and compliance.

Client Due Diligence – US – Version 8.6.pdf

Client Due Diligence document contains lots of valuable information on security testing and compliance.

Client Due Diligence – AU  – Version 4.19.pdf

Client Due Diligence document contains lots of valuable information on security testing and compliance.

Certificate ISO27001-2013 - AWS.pdf - Reward Gateway.pdf

ISO/IEC 27001:2013 certificate.

Acceptable Use and IT Policy – Version 2.6.pdf

The set of rules all RG employee need to follow when using company assets.

Encryption Policy – Version 1.6.pdf

Encryption Policy.

Incident Management Policy – Version 2.4.pdf

Incident Management Policy.

Patch Management Policy – Version 3.0.pdf

Patch Management Policy.

Secure Development Policy – Version 1.4.pdf

Secure Development Policy.

Supplier Relationships Policy – Version 1.4.pdf

 Supplier Relationships Policy.

SOA Version 10 (Summary).pdf

Summary of our Statement of Applicability - provides information on implemented ISO 27002 controls.

Data Protection Policy - Version 2.1.pdf

Data Protection Policy.

Reward Gateway SAQ A AOC 2020.pdf


Introduction & Table of Contents.pdf

Introduction & Table of Contents document.

Frequently Asked Questions

Who are the Vendor Security Alliance?
In their own words, the Vendor Security Alliance ... [are] a coalition of companies committed to improving Internet security. Every day, industries across the globe depend on each other to embrace sound cybersecurity practices: yet in the past companies have not had a standardized way to assess the security of their peers. The VSA was formed to solve these issues and streamline vendor security compliance. https://www.vendorsecurityalliance.org/

Why have you decided to complete their (the Vendor Security Alliance) questionnaire?
We believe in the VSA’s goal of streamlining and standardising the information security assessment process and have not found an equivalent standard / body that provides a concise way of doing this.

What standards do you adhere to?
ISO 27001 - Our information security programme is certified against ISO 27001. You can find our latest certificate included.
PCI DSS – Reward Gateway is a Level 2 merchant compliant to PCI DSS 3.2 standard.

Do you audit your security and compliance to these standards?
Yes. Both standards have a monitoring / testing element and we have an extensive security programme that includes testing of our systems and products. You will find the latest independent summary reports in this pack.

Will you complete my security questionnaire for me?
In our experience, we have found that these questionnaires are often best completed by you, using the evidence we provide. This is because you will understand and know your internal policies and terminology much better than us. Feel free to adapt this material to meet those needs or to provide it to your Information Security Team who will be able to make sense of all this information.

What if I have a question that is not answered or I cannot find the relevant evidence?
Please see below for our contact details.

Can we undertake our own security testing?
Yes. Several of our current clients already operate their own testing regimes in addition to our own. Please get in contact with us first though to get our consent.

How frequently is this pack updated?
The pack is updated on an as-required basis.

Will you notify me if the pack is updated?
Not at this time. We suggest you request updates in-line with your own compliance policies.

How can I get in contact with you?
Feel free to email infosec@rewardgateway.com