Trust Center

Welcome! At Lightspeed, we believe that trust is essential when it comes to technology. It's our priority to handle your data securely. The details on this page are provided for general informational purposes only and are not intended to provide legal advice. You should consult with your own legal counsel for advice about requirements governing your specific circumstances.

Privacy

Privacy basics

Our Merchants are data controllers of the personal data they collect through our Services (as defined in our Data Processing Agreement). Lightspeed acts as a data processor for our Merchants and our Data Processing Agreement governs our processing of personal data on our Merchants’ behalf.

Lightspeed is a data controller of personal data that we collect directly. This includes personal data about our Merchants, Partners, and visitors to our websites, and consumers that engage directly with us, such as golfers using Chronogolf or consumers using Order Anywhere. Our Privacy Policy and our Privacy Statement for Consumers set out our practices with respect to this data.

International Data Transfers

Lightspeed may transfer to, and store personal data in countries other than the country in which the data was originally collected, including destinations outside the EU. For transfers to countries that are not covered by a European Commission adequacy finding, we rely on the latest Standard Contractual Clauses incorporated into our Data Processing Agreement. We have incorporated the International Data Transfer Addendum for Merchants established in the UK.

Lightspeed is also certified under the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework. Please see our Privacy Policy for more information.

Technical and Organizational Measures

We have implemented a range of technical and organizational measures to safeguard personal data. These measures are designed to maintain the ongoing confidentiality, integrity, and availability of our products and Services. For more detail, please refer to the Security section of our Trust Center.

Data Retention

Lightspeed processes personal data for as long as it is reasonably needed to fulfill the purposes for which we collected it. Our retention term can be longer if we are required to keep the personal data longer on the basis of applicable law or to administer our business.

Subprocessors

Lightspeed engages sub-processors to assist us in delivering our Services. We have data processing agreements in place with these sub-processors to protect the personal data they process and we ensure they commit to the same level of data protection and privacy standards that we commit to our merchants.

Government Disclosure

Lightspeed will not disclose Merchant data to public authorities without a valid warrant, subpoena, court order, or equivalent legal process. If we receive a disclosure request, we will notify Merchants to the extent permitted by applicable law and make reasonable efforts to narrow the scope of the request if the scope appears overly broad.

Data Subject Rights

Depending on your location and subject to applicable law, you may have the right to request access, correction, and deletion of your personal data.

If you have purchased something from one of our Merchants, please reach out to that Merchant directly about your data rights request.

If you are a Lightspeed Merchant, you may submit a request to exercise any of your data rights by filling out this online form.

Security

Overview

Lightspeed employs an experienced team of information security experts. The following descriptions provide an overview of the technical and organizational security controls that Lightspeed maintains to protect and secure all Merchant data.

Compliance & Certifications

Lightspeed undergoes regular independent audits of our security controls to ensure they meet global standards.

Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is the global security standard for protecting payment card information. Lightspeed does not store, process, or transmit any cardholder data. We rely on PCI compliant third party service providers to handle transactions. This is attested by a PCI Qualified Security Assessor (QSA) yearly.

System and Organization Controls (SOC)
NuORDER by Lightspeed is audited yearly for SOC 2 Type 2 compliance. This audit certifies that controls governing security, availability, processing integrity, confidentiality, and privacy of Merchant data are designed appropriately and operating effectively.

Please see our contact information to request a copy of our compliance certifications.

Infrastructure and Endpoint Security / Access Control

Lightspeed keeps our network safe and secure against unauthorized access.

We are constantly enforcing measures to keep Lightspeed’s network safe and secure. Such measures include system monitoring, logging, alerting, and Distributed Denial-of-Service (DDoS) protection.

To protect Lightspeed from unauthorized access via remote devices, company-issued devices are configured, updated, and tracked by endpoint management solutions. By default, Lightspeed workstations are equipped with data encryption, firewalls, and strong passwords and endpoint protection.

We also centrally manage access to Lightspeed’s network and applications, enforce multi-factor authentication, and continuously audit access to follow the principle of least privilege. Privileges are assigned on a need-to-know basis and are revoked when a job role changes or employment ceases.

Data Protection

Lightspeed protects data in transit and at rest using strong encryption protocols.

Lightspeed hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls of our infrastructure providers are audited for SOC 2 Type 2, ISO 27001, PCI DSS, GDPR, FIPS 140-2, NIST 800-717, etc.

System Monitoring and Incident Management

Lightspeed uses advanced security tools to maintain a secure environment for our Merchants’ data. We monitor threat intelligence and alerts to preempt attacks and protect our systems. When we discover a security incident, our incident response team acts quickly to identify, mitigate, and resolve the issue according to our incident response plan.

If we become aware of unlawful access to Merchant data stored within our products, we will notify the affected Merchant, provide a description of the steps we are taking to resolve the incident, and provide status updates as necessary.

Security Testing

We routinely scan our code and deployments for vulnerabilities and misconfigurations to ensure our Services and Merchant data are protected.

Additionally, Lightspeed has a public bug bounty program to enable researchers to test our products and encourage responsible disclosure of security issues. We also engage third parties to conduct annual external and internal penetration testing.

Security Policies

The security team maintains policies and standards to help Lightspeed meet our service commitments to Merchants. These policies and standards are reviewed annually and are shared internally with team members.

Security Awareness Training

Lightspeed prioritizes the ongoing security education of its employees.

We take a comprehensive approach to security awareness to ensure that employees are well-versed in best practices. Our employees complete security awareness training when first hired and take refresher courses annually. We also engage employees in ongoing discussions about the latest security threats and how to address them. This approach keeps employees informed and empowers them to actively participate in data protection.

Contact Information

For further information regarding the security of Lightspeed products, you can reach out to our support team or your customer success manager at any time. 

If you have any questions regarding our privacy practices, you can reach our Privacy Team at [email protected].

For Merchants established in Germany only, you may contact:

Datenschutzbeauftragte: Karina Filusch
Friedrichstraße 95
D-10117 Berlin
Deutschland
Email: [email protected], with a copy to: [email protected]