SaleStreams is built so that data protection, payment security and information security management reinforce each other — not compete. Here's how we approach compliance across the platform.
GDPR, PCI DSS and ISO 27001 regulate different things — personal data, cardholder data, and information security management respectively — but on a platform like ours they converge on the same underlying controls: access, encryption, logging, retention, incident response and supplier oversight.
Governs how we collect, process and protect personal data across our customer portal, marketing, loyalty and membership features — covering consent, data-subject rights and accountability.
Applies to every point our platform captures, transmits or stores cardholder data. We scope our payment flows tightly and tokenise card data at capture wherever possible.
A certifiable management-system standard covering our entire estate — platform, back office, suppliers and underlying infrastructure — as a single Information Security Management System (ISMS).
Rather than running separate programmes per framework, we build one control set sized to the strictest applicable requirement, so each control satisfies GDPR, PCI DSS and ISO 27001 at the same time.
| Control area | How we approach it |
|---|---|
| Access & authentication | Per-user credentials with multi-factor authentication, enforced through a single identity service across the platform. |
| Encryption | Data is encrypted in transit and at rest, with cardholder data tokenised at the point of capture so raw card numbers never reach our back-office systems. |
| Logging & monitoring | Access to records is logged with tamper-evident retention, masking sensitive values so audit logs never become a data-protection liability of their own. |
| Data minimisation & retention | We collect and retain only the data needed to run the platform, for no longer than necessary, consistent with our published retention practices. |
| Testing & vulnerability management | Regular vulnerability scanning and periodic independent penetration testing across the platform. |
| Supplier oversight | Third-party suppliers are assessed for data protection agreements, payment compliance status and information security certifications before onboarding. |
| Incident response | A single incident response plan with defined notification paths for regulators, payment schemes and affected customers, triaged by the type of data involved. |
Our infrastructure and controls are built to meet the following standards.
Request our DPA, security questionnaire responses or certification evidence for your procurement or audit process.