Skip to main content

Security at eCardWidget

How we protect your data.

eCardWidget's security program is aligned with Trust Service Criteria across security, availability, confidentiality, and privacy. Below is an overview of the technical and organizational measures we maintain.

Infrastructure

eCardWidget runs on DigitalOcean (SOC 2 Type 2 certified) infrastructure in their US-based data center region. All systems operate within an isolated Virtual Private Cloud (VPC) with cloud firewalls restricting traffic between components.

Control Detail
Hosting DigitalOcean (SOC 2 Type 2 certified)
Network Isolation Private VPC with cloud firewall rules between all components
Edge Protection Cloudflare (SOC 2 Type 2 certified)
Intrusion Prevention CrowdSec and Fail2Ban deployed across infrastructure
Server Hardening CIS Benchmark hardening applied to infrastructure components
SIEM Wazuh agents deployed on all hosts

Encryption

Method
In Transit TLS 1.2+ enforced on all connections via Cloudflare and Caddy reverse proxy
At Rest AES-256 encryption on all managed databases via DigitalOcean (SOC 2 Type 2 certified)
Database Connections SSL/TLS required; restricted to isolated VPC

Standard cryptographic libraries only. No custom encryption implementations.

Application Security

Identity & Access (Enterprise)

  • Single sign-on via OpenID Connect — authorization-code flow with PKCE (S256), RS256-signed ID tokens, SP-initiated. Okta, Microsoft Entra ID, Google Workspace, and any standards-compliant OIDC provider. SAML is not supported.
  • Domain verification — SSO activates only after DNS-TXT proof of email-domain ownership; a require-SSO option enforces IdP-only sign-in.
  • SCIM 2.0 lifecycle deprovisioning — deactivating a user in your IdP disables them here automatically; SCIM bearer tokens rotate with a 48-hour grace window.

Details: SSO & Directory Sync · documentation

  • Vulnerability Scanning — Regular security scans across codebase and infrastructure using static analysis (SAST), container image scanning, and external vulnerability scanning
  • Centralized Logging — Application and system logs aggregated in a centralized logging platform with real-time alerting
  • Access Control — MFA enforced on infrastructure, source control, and cloud provider accounts
  • Static Analysis — Code changes undergo automated static analysis (SAST) scanning

Data Handling

eCardWidget processes data necessary to deliver the service, including business email addresses, names, and eCard message content. For enterprise directory features, position/title, department, and optionally birth month and day (year is not collected) may be stored.

Practice Detail
Retention Data handled in accordance with our published data retention policy
Data Location United States
Deletion Upon account cancellation, customer data is deleted from eCardWidget systems in accordance with our data retention policy

A current list of third-party services involved in operating the platform is maintained in our Privacy Policy.

Privacy & International Compliance

eCardWidget maintains practices informed by major data protection frameworks, including GDPR, CCPA, and PIPEDA. Details on how we collect, use, and handle personal data are documented in our Privacy Policy.

Data Subject Requests

Individuals may request access to, correction of, or deletion of their personal data from eCardWidget systems by contacting [email protected].

International Data Transfers

All data is stored in the United States. For customers requiring a legal mechanism for cross-border data transfers, we offer Data Processing Agreements incorporating EU Standard Contractual Clauses (Module 2: Controller to Processor) and the UK International Data Transfer Addendum.

Third-Party Services

eCardWidget uses third-party services to operate the platform, deliver emails, process payments, and support customers. These services operate under their own terms and privacy policies. A current list is maintained in our Privacy Policy.

Operational Security

Monitoring

SIEM monitoring with automated alerting for security events and infrastructure issues.

Incident Response

Documented incident response plan with procedures for detection, containment, communication, and recovery.

Backups & Recovery

Automated daily database backups with point-in-time recovery via DigitalOcean (SOC 2 Type 2 certified) Managed Databases. Documented disaster recovery plan.

Availability

99.9% uptime SLA. Published at ecardwidget.com/sla.

Policies

Responsible Disclosure

To report a potential security vulnerability, contact [email protected].