Security & Compliance
Your data security is our top priority. PickSafely employs industry-standard security measures across all plans and aligns with global data protection principles.
Important clarification: our self-serve plans are designed to make giveaways more transparent and secure, but they do not by themselves make your promotions legally compliant with local, state, federal, or international giveaway, sweepstakes, or contest laws. Security and technical-grade compliance for regulated campaigns are offered only through custom, compliant-grade engagements and must be implemented in coordination with your own legal counsel.
Nothing on this page is legal advice. You are responsible for obtaining advice about applicable giveaway and promotion laws in every jurisdiction where you run a campaign.
Security First
Baseline protections on every plan
Custom, compliant-grade deployments with additional security controls and evidence retention are available through tailored engagements.
Comprehensive Protection
Security measures that protect your data
We implement multiple layers of security to help ensure your giveaway data remains safe and private across all plans. These technical controls are foundational safeguards and are not a substitute for custom legal review or compliant-grade architectures tailored to specific jurisdictions or regulatory regimes.
- End-to-End Encryption
All data transmitted between your browser and our servers is encrypted using TLS 1.3. Participant data is encrypted at rest using AES-256.
- Cryptographic Randomization
Winner selection uses SHA-256 cryptographic hashing with verifiable random seeds, helping ensure randomness that cannot be easily manipulated.
- Access Controls
Role-based access control helps ensure only authorized team members can view sensitive data. Multi-factor authentication is available for supported plans.
- Regular Security Reviews
We review our architecture, dependencies, and configurations on a regular cadence to align with security best practices and harden the platform over time.
- Data Isolation
Customer data is logically isolated in our multi-tenant architecture. Each account's data is segregated and protected from unauthorized access.
- Secure Infrastructure
Hosted on modern cloud infrastructure with redundancy, DDoS protections from our providers, and automated scaling.
Compliance & Certifications
We align our platform with international data protection regulations and industry standards, and we leverage trusted infrastructure and payment partners. Some controls and attestations may only be available as part of custom compliant-grade engagements. Full legal compliance with sweepstakes, contest, and lottery laws in your jurisdictions requires your own legal counsel.
- GDPRGeneral Data Protection Regulation
- We design our data-handling practices with GDPR principles in mind, including data export and deletion workflows. Full legal compliance depends on how you configure and operate your campaigns with your legal counsel.
- CCPACalifornia Consumer Privacy Act
- We support data access and deletion requests for California residents. You remain responsible for meeting all CCPA obligations in how you collect, use, and disclose data in your own business.
- SOC 2Service Organization Controls
- We follow SOC 2–aligned practices for security, availability, and confidentiality. Formal reports and additional controls may be available only as part of custom compliant-grade engagements.
- PCI DSS (via processor)Payment Card Industry Data Security Standard
- Payment data is handled by our payment processors (e.g., Stripe) who maintain PCI DSS compliance. PickSafely does not store raw card details.
Our Security Practices
Security is embedded in every aspect of our platform, from development to deployment. We follow secure coding practices, conduct code reviews, and use automated scanning in our delivery pipeline.
Our team monitors the platform for potential issues and maintains comprehensive logs and audit trails for system activities. For compliant-grade deployments, those logs can be tailored to your evidence-retention and audit requirements.
We believe in transparency about our security practices. A high-level security overview is available to all customers, and more detailed documentation can be provided to custom compliant-grade customers under NDA where appropriate.
All employees receive security training and follow the principle of least privilege. For regulated campaigns, we can work with your security and legal teams to design an appropriate technical and process control environment—but we cannot replace your own legal advice.
Data Handling
How we protect your data
Every piece of data you entrust to us is handled with care and protected by multiple layers of technical and organizational controls. Custom compliant-grade engagements can add stricter retention, segregation, and evidence requirements for regulated giveaways.
- Encryption at rest.
- All stored data is encrypted using AES-256 encryption.
- Secure transmission.
- TLS 1.3 encryption is used for all data in transit.
- Regular backups.
- Automated encrypted backups with point-in-time recovery capabilities.
Security Features by Plan
- All Plans:
- SSL/TLS encryption
- Encrypted data storage
- Secure authentication
- Baseline logging and monitoring
These controls improve transparency and security but do not constitute full legal or regulatory compliance for any particular jurisdiction.
- Pro and higher tiers:
- Multi-factor authentication (where enabled)
- More detailed audit logs
- Advanced project and team controls
- Support for increased retention windows
- Custom compliant-grade engagements:
- Architectures aligned with your legal and security requirements (e.g., dedicated or physically isolated infrastructure)
- Extended evidence retention (e.g., 3+ years) for audit and dispute resolution
- Additional controls to support local, state, and federal promotion requirements as defined by your counsel
- Security and technical documentation to support your compliance and risk assessments
These engagements are designed to support security and technical-grade compliance for regulated campaigns, in collaboration with your legal and compliance teams. PickSafely does not provide legal advice.
Need compliant-grade giveaways?
If you are running regulated or large-scale promotions, talk with us and your legal counsel about a custom compliant-grade deployment that supports your local and federal giveaway obligations.
You remain responsible for understanding and complying with all applicable giveaway, sweepstakes, contest, and advertising laws in the jurisdictions where you operate.