Snappy is a global gifting company on a mission to spread joy, share gratitude, and remove the guesswork from gifting to employees and customers. Snappy’s SaaS platform offers the ability to send curated gift collections, branded swag, and experiences, while giving the recipients the ability to choose their preferred gifts. With customizable digital unwrapping options and seamless delivery via email, text, or business messaging apps, Snappy ensures a memorable gifting experience without the need for gift-givers to provide their recipients’ physical addresses.

SOC 2 Type II

ISO 27001:2022

GDPR

CCPA

Microsoft Supplier Security & Privacy Assurance Program

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

The company's formal policies outline the requirements for the following functions related to IT / Engineering:

The company maintains an organizational chart that describes the organizational structure and reporting lines.

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

MongoDB Infrastructure - Data Storage USA

Amazon Web Services Infrastructure - Cloud Hosting USA

Google Cloud Platform Infrastructure - Cloud Hosting USA

Okta Infrastructure - Secure Identity Management USA

Twilio Sendgrid Infrastructure - Service Related Communications

Atlassian Performance - Operations Customer Support USA

Google BigQuery Performance - Product Analytics USA

PostHog Performance - Product Analytics USA

TzOV IIT Intellias Performance - Software Development and Support USA

Innovecs Performance - Software Development and Support USA

Box Feature Specific - Document Management USA

Flatfile Feature Specific - Secure File Sharing USA

Merge Feature Specific - Integration Support USA

iDrive Fulfillment Feature Specific - Fulfillment Logistics Services USA

Snappy Gifts, Ltd. Affiliate - Services and Support Israel

To request access to our Audit Reports, Penetration Test Reports, or Supplier Onboarding Documents, click here.

What security certifications and compliance audits do you have?
We maintain industry‐recognized certifications, including ISO27001 and SOC2 Type 2. These certifications are backed by regular independent audits and penetration tests to validate our security posture.

How is user authentication managed? Do you support Single Sign-On (SSO) and Multi-Factor Authentication (MFA)?

User authentication is handled through SAML2.0-based SSO. We also enforce Multi-Factor Authentication to add an extra layer of security during login, ensuring that only authorized users gain access.

How is customer data stored and secured?

Customer data is hosted on AWS servers within the US Data Region. It is encrypted at rest using AES-256 and in transit with TLS 1.2 or greater, ensuring robust protection throughout its lifecycle.

Who owns the customer data and how is data access controlled?

The customer retains full ownership of their data. Access is strictly controlled via role-based access mechanisms and the principle of least privilege, with only authorized personnel (such as technical support) granted access as necessary.

How is data encrypted at rest and in transit?

We encrypt all data at rest using AES-256 and secure data in transit using TLS 1.2 or higher. Additionally, encryption keys are managed by AWS KMS with regular rotation to maintain high security standards.

What backup and disaster recovery measures are in place?

Daily backups are performed using AWS native backup solutions, with disaster recovery strategies that include cross-region replication (e.g., between AWS East and West regions)

How are security events and access logs monitored and retained?

We log all authentication, authorization, and administrative events securely. Logs are stored in the cloud and are retained for at least one year (or longer upon client request).

Do you conduct regular vulnerability assessments, penetration tests, and code reviews?

Yes. We perform annual external penetration tests, conduct both automated and manual code reviews, and continuously assess vulnerabilities to ensure the platform remains secure.

What network security measures are implemented?

Our network is protected by industry-standard firewalls, intrusion detection/prevention systems (IDS/IPS), and DDoS protection mechanisms. We also implement IP whitelisting and secure network configurations to further safeguard access.

How do you manage encryption keys and other sensitive security configurations?

Encryption keys are managed using AWS Key Management Service and are rotated on a regular basis. This is part of our overall strategy to safeguard sensitive configurations and ensure continuous security through a robust CI/CD pipeline

What is your process for managing third-party vendors and subprocessors?

We maintain a rigorous vendor management program. Critical subprocessors, like AWS, undergo full due diligence and are reviewed annually to ensure they meet our stringent security and compliance requirements.

How are production and non-production environments separated?

Production data is never used in non-production environments. We enforce strict segregation between production, development, and testing environments, and any data used outside production is either masked or entirely excluded.

What are your password policies and how do you enforce secure authentication?

Our policies require unique user IDs, complex passwords (with defined rules on length and character complexity), and periodic password changes. These controls are uniformly enforced across our sensitive systems through Okta SSO.

Do you provide regular security training and awareness programs for your employees?

Yes. All employees receive comprehensive security and privacy awareness training upon hire and are required to undergo annual refresher training to remain up-to-date with our security practices.

How is remote access secured?

Remote access is secured through the use of VPNs, MFA, and, where applicable, IP whitelisting. This ensures that only authenticated and authorized personnel can access our systems remotely.

What is your data retention and deletion policy?

Customer data is retained for the duration of the business relationship or until a formal deletion request is received. Upon termination, we commit to data deletion in accordance with contractual agreements and applicable regulations.

Does Snappy offer a DPA?

Yes. Since Snappy loves to help you send gifts to recipients in all 50 United States and worldwide, we have included a DPA as part of our standard enterprise terms. You can check it out at https://www.snappy.com/legal/customer-dpa

Snappy’s DPA incorporates provisions under CCPA/CPRA and other U.S. state privacy laws, GDPR, and UK GDPR. Our DPA also includes the Standard Contractual Clauses required for cross-border data transfers under GDPR and UK GDPR.

What type of Personal Information (PI) does Snappy collect and process in connection with our B2B services?

You generally need to provide Snappy with the name and email address of the gift recipient so we can notify them that you sent them a gift.

If you use some of our campaign functionalities (i.e., birthday and anniversary gifts) you may provide us with a limited amount of additional PI

What information is not shared with Snappy?

Snappy doesn’t use any PI that is considered sensitive under applicable privacy law, except where Snappy specifically indicates it (i.e., the Gift Hunt feature). In addition, Snappy does not accept or process any Personal Health Information (PHI), and therefore, Snappy does not enter into any Business Associate Agreements (BAAs).

How do users submit a Data Subject Access or Deletion Request?

At Snappy, we are committed to respecting the PI users provide while using our platform. As part of that commitment, we give users control over their PI. Users can request access to their data, delete it, and manage how it gets used at:

https://snappy.privacy.saymine.io/Snappy

​