Skip to main contentSkip to footer
eCardWidget

Security at eCardWidget

How we protect your data.

eCardWidget's security program is aligned with Trust Service Criteria across security, availability, confidentiality, and privacy. Below is an overview of the technical and organizational measures we maintain.

Infrastructure

eCardWidget runs on DigitalOcean (SOC 2 Type 2 certified) infrastructure in their US-based data center region. All systems operate within an isolated Virtual Private Cloud (VPC) with cloud firewalls restricting traffic between components.

ControlDetail
HostingDigitalOcean (SOC 2 Type 2 certified)
Network IsolationPrivate VPC with cloud firewall rules between all components
Edge ProtectionCloudflare (SOC 2 Type 2 certified)
Intrusion PreventionCrowdSec and Fail2Ban deployed across infrastructure
Server HardeningCIS Benchmark hardening applied to infrastructure components
SIEMWazuh agents deployed on all hosts

Encryption

Method
In TransitTLS 1.2+ enforced on all connections via Cloudflare and Caddy reverse proxy
At RestAES-256 encryption on all managed databases via DigitalOcean (SOC 2 Type 2 certified)
Database ConnectionsSSL/TLS required; restricted to isolated VPC

Standard cryptographic libraries only. No custom encryption implementations.

Application Security

  • Vulnerability Scanning — Regular security scans across codebase and infrastructure using static analysis (SAST), container image scanning, and external vulnerability scanning
  • Centralized Logging — Application and system logs aggregated in a centralized logging platform with real-time alerting
  • Access Control — MFA enforced on infrastructure, source control, and cloud provider accounts
  • Static Analysis — Code changes undergo automated static analysis (SAST) scanning

Data Handling

eCardWidget processes data necessary to deliver the service, including business email addresses, names, and eCard message content. For enterprise directory features, position/title, department, and optionally birth month and day (year is not collected) may be stored.

PracticeDetail
RetentionData handled in accordance with our published data retention policy
Data LocationUnited States
DeletionUpon account cancellation, customer data is deleted from eCardWidget systems in accordance with our data retention policy

A current list of third-party services involved in operating the platform is maintained in our Privacy Policy.

Privacy & International Compliance

eCardWidget maintains practices informed by major data protection frameworks, including GDPR, CCPA, and PIPEDA. Details on how we collect, use, and handle personal data are documented in our Privacy Policy.

Data Subject Requests

Individuals may request access to, correction of, or deletion of their personal data from eCardWidget systems by contacting [email protected].

International Data Transfers

All data is stored in the United States. For customers requiring a legal mechanism for cross-border data transfers, we offer Data Processing Agreements incorporating EU Standard Contractual Clauses (Module 2: Controller to Processor) and the UK International Data Transfer Addendum.

Third-Party Services

eCardWidget uses third-party services to operate the platform, deliver emails, process payments, and support customers. These services operate under their own terms and privacy policies. A current list is maintained in our Privacy Policy.

Operational Security

Monitoring

SIEM monitoring with automated alerting for security events and infrastructure issues.

Incident Response

Documented incident response plan with procedures for detection, containment, communication, and recovery.

Backups & Recovery

Automated daily database backups with point-in-time recovery via DigitalOcean (SOC 2 Type 2 certified) Managed Databases. Documented disaster recovery plan.

Availability

99.9% uptime SLA. Published at ecardwidget.com/sla.

Policies

Responsible Disclosure

To report a potential security vulnerability, contact [email protected].

Accessibility Statement

We are committed to providing a website experience that is accessible to the widest possible audience and to continually improving accessibility and usability across our website and services.

Our goal is to support applicable accessibility standards, including the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA, through ongoing evaluation, testing, remediation, and improvement efforts.

Accessibility is an ongoing process. While we strive to make all pages and functionality accessible, some content or features may not yet fully conform to all accessibility standards at all times. We are continuously working to improve accessibility as technologies, standards, and user needs evolve.

This website may include tools and features intended to enhance accessibility and usability, such as options for text scaling, contrast adjustment, and reduced motion preferences. These tools are intended to assist users but may not address every accessibility need or work equally for all users or assistive technologies.

If you experience difficulty accessing any content, feature, or functionality on this website, or if you have specific accessibility questions or concerns, please contact us. We take accessibility feedback seriously and will make commercially reasonable efforts to address reported issues and provide requested information or services through an alternative method where appropriate.

Contact: [email protected]

Last Updated: May 2026