Easypromos is firmly committed to information security, considering it an intrinsic part of every decision made by each person, employee, or collaborator of the company. This dedication is reflected in the design and implementation of an Information Security Management System (ISMS).

Our commitment is to ensure the confidentiality, integrity, and availability of the information of our clients and the participants in the promotions.

Core security principles

Since its inception, Easypromos has maintained the following principles in the design and implementation of its security practices:

• Data integrity: A data protection and classification policy has been in place from day one, supported by an internal security team that ensures compliance with international standards, legal entities, and industry-specific confidentiality and privacy protocols.
• Operational security: The company has multiple interconnected policies for incident response, security compliance, and vendor management.
• Automated infrastructure: With clear security boundaries, machines are kept up to date, dependencies are protected against security vulnerabilities, and systems are continuously monitored and logged.

See Easypromos’ security and data protection policy.

Certifications and regulatory compliance

Easypromos holds certifications that validate its high security standards:

• ISO/IEC 27001: Certified by AENOR/IQNET, this standard establishes requirements for an Information Security Management System (ISMS), specifying best practices and controls for managing information risks.
• ISO/IEC 27018: Also certified by AENOR/IQNET, this standard focuses on the protection of personally identifiable information (PII) in public cloud environments, especially for service providers acting as PII processors.
• National Security Framework (ENS): Easypromos has successfully passed the self-assessment process in accordance with the requirements of Royal Decree 311/2022 of May 3, which regulates the basic-level ENS in Spain.
• GDPR: Easypromos is committed to complying with the obligations set out in Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, on the protection of personal data (GDPR).

Download Easypromos’ security certificates

Infrastructure and data protection

• Cloud hosting: All Easypromos’ technological infrastructure is hosted on Google Cloud Platform, specifically in the Google data center in St. Ghislain, Belgium (Europe). Google Cloud Platform complies with EU data protection and privacy directives.
• Data encryption: All data is encrypted at rest using AES-256. Keys are managed by Google Cloud Platform. Data in transit is always transmitted under a secure protocol using SSL with TLS (TLS 1.2, TLS 1.3).
• Data ownership and processing: Promotion participant data belongs to the promotion organizer. Easypromos acts as a data processor and under no circumstances uses user data; it only stores it. The data processing agreement is defined in clause 17 of Easypromos’ Terms and Conditions.
• Sub-processors: Easypromos works with third-party providers that may access participant data. These are considered data sub-processors and must comply with high security standards. Contact security@easypromosapp.com to request the full list of sub-processors.

Operational security and management

• Access management: Based on the principles of least privilege and role-based access. Staff are only authorized to access data necessary for their job duties. All system access is protected with multi-factor authentication (MFA) and requires an approved password manager to generate and store unique and complex keys.
• Vulnerability management: Easypromos implements a vulnerability management process that includes regular internal and external assessments (pentesting). It subscribes to services like opencve.io for real-time notifications of new vulnerabilities. Critical updates and security patches are applied promptly.
• Incident response: Critical incidents are monitored and addressed 24/7, year-round. A dedicated security team monitors infrastructure and provider alerts. Easypromos uses a public status page (https://status.easypromosapp.com) to provide real-time updates on service status, maintenance, and incidents.
• Logging and activity monitoring: A full view of the production infrastructure’s security status is logged and analyzed. Administrative access and privileged command usage are recorded. Tools such as ElasticSearch and Kibana are used for log storage and analysis, and Grafana is used to monitor critical services and send real-time alerts. Logs are retained for at least 1 month, and critical logs for audits or incidents are retained for 1 year. User behavior anomaly detection is implemented to identify threats.
• Backups and disaster recovery: Transactions are continuously saved, and full daily backups are performed. Participant databases are backed up four times daily and stored in Google Cloud Storage. Full server snapshots are taken at varying frequencies, including every 2 hours for the Back-Master server. Backups are tested at least quarterly to ensure restoration. There is a multi-provider replica of the MySQL database in Amazon AWS, and storage buckets are multi-zone to ensure availability. In case of a critical failure, systems can be restored in less than 24 hours, with an estimated recovery time of 2 hours from a disk snapshot and 24 hours from an SQL dump. Participant personal data in backups is deleted within a maximum of 2 months.
• Physical security:
  • Offices: Access is controlled with alarm systems connected to a control center, and individuals attempting to enter are identified. A clean desk policy is enforced to prevent unattended sensitive information. Workstations are turned off at the end of the day and are protected with passwords and automatic locking after 10 minutes of inactivity (5 minutes for remote work).
  • Data centers (DCs): Critical assets are located in secure areas with special measures. Controls include perimeter security (walls, fences, video surveillance), restricted access with 24/7 electronic control, fire detection and suppression systems, temperature and humidity control, and uninterruptible power supplies.
• Secure software development: A secure development policy is applied, including the use of distributed systems, in-memory caching, optimized databases, queue systems with asynchronous tasks, and role-based access. Storing passwords or production credentials in the code is strictly prohibited. API keys are stored as environment variables in Jenkins, and user access tokens are encrypted in the database. All code is stored in GIT repositories (Bitbucket) for version control. New developments go through a pre-production environment for QA testing.
• Email security: To minimize spoofing and spam, Easypromos enforces strict SPF, DKIM, and DMARC policies.
• Intellectual property protection: Installation of software without a valid license and use of third-party content or tools without explicit permission is prohibited. Periodic audits are conducted to ensure compliance.

Download the Easypromos Security Workpaper for more details about security measures.

Commitment to training and awareness

Easypromos ensures that all staff and collaborators are continuously trained in cybersecurity, enabling them to proactively identify risks and threats and apply preventive measures.

Comprehensive anti-fraud system in promotions

Easypromos has developed an advanced system to prevent fraud in online promotions. This system includes:

• Security mechanisms in user registration and identification: Use of temporary email domain databases, detection of misspelled addresses, double email and phone validation, ReCaptcha, and multiple user ID systems (SSO, identity documents, customer codes).
• Participation control and prize limits: Allows configuration of participation frequency and the number of prizes a user can win.
• Security center for administrators: Offers a visual indicator of the promotion’s security level, display of security alerts, tools to analyze and block suspicious email domains and IP addresses, and audit logs of all admin actions.
• Proactive alarm monitoring service: A specialized human team constantly supervises promotion activity.
• Concurrency limits and waiting room: Systems to manage traffic spikes and prevent availability issues by redirecting overflow traffic to a waiting room.
• Legal measures: Promotion terms may include clauses to discourage fraud, allowing for unilateral disqualification and legal claims for damages.
• Mechanisms specific to promotion types: Includes measures for time-based skill games, purchase receipt validation (with AI and duplicate detection), voting contests (mandatory registration, frequency control, fraud pattern detection), digital coupon redemption (unique QR codes, user binding, PINs), and random draws (result certification, encrypted random number generator, exclusion of past winners).

Download the Ebook on Easypromos' measures to prevent participant fraud in contests.