Welcome! At Lightspeed, we believe that trust is essential when it comes to technology. It's our priority to handle your data securely. The details on this page are provided for general informational purposes only and are not intended to provide legal advice. You should consult with your own legal counsel for advice about requirements governing your specific circumstances.
Our Merchants are data controllers of the personal data they collect through our Services (as defined in our Data Processing Agreement). Lightspeed acts as a data processor for our Merchants and our Data Processing Agreement governs our processing of personal data on our Merchants’ behalf.
International Data Transfers
Lightspeed may transfer to, and store personal data in countries other than the country in which the data was originally collected, including destinations outside the EU. For transfers to countries that are not covered by a European Commission adequacy finding, we rely on the latest Standard Contractual Clauses incorporated into our Data Processing Agreement. We have incorporated the International Data Transfer Addendum for Merchants established in the UK.
Technical and Organizational Measures
We have implemented a range of technical and organizational measures to safeguard personal data. These measures are designed to maintain the ongoing confidentiality, integrity, and availability of our products and Services. For more detail, please refer to the Security section of our Trust Center.
Lightspeed processes personal data for as long as it is reasonably needed to fulfill the purposes for which we collected it. Our retention term can be longer if we are required to keep the personal data longer on the basis of applicable law or to administer our business.
Where you have the right to request its deletion, we will delete your personal data in accordance with and upon receipt of written instructions from you to this effect, unless we are legally required to keep it. You may choose to do this in the event you terminate your agreement for the Services.
Lightspeed engages sub-processors to assist us in delivering our Services. We have data processing agreements in place with these sub-processors to protect the personal data they process and we ensure they commit to the same level of data protection and privacy standards that we commit to our merchants.
Our sub-processor list is available here.
Lightspeed will not disclose Merchant data to public authorities without a valid warrant, subpoena, court order, or equivalent legal process. If we receive a disclosure request, we will notify Merchants to the extent permitted by applicable law and make reasonable efforts to narrow the scope of the request if the scope appears overly broad.
Data Subject Rights
Depending on your location and subject to applicable law, you may have the right to request access, correction, and deletion of your personal data.
If you have purchased something from one of our Merchants, please reach out to that Merchant directly about your data rights request.
If you are a Lightspeed Merchant, you may submit a request to exercise any of your data rights by filling out this online form.
Lightspeed employs an experienced team of information security experts. The following descriptions provide an overview of the technical and organizational security controls that Lightspeed maintains to protect and secure all Merchant data.
Compliance & Certifications
Lightspeed undergoes regular independent audits of our security controls to ensure they meet global standards.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is the global security standard for protecting payment card information. Lightspeed does not store, process, or transmit any cardholder data. We rely on PCI compliant third party service providers to handle transactions. This is attested by a PCI Qualified Security Assessor (QSA) yearly.
System and Organization Controls (SOC)
NuORDER by Lightspeed is audited yearly for SOC 2 Type 2 compliance. This audit certifies that controls governing security, availability, processing integrity, confidentiality, and privacy of Merchant data are designed appropriately and operating effectively.
Please see our contact information to request a copy of our compliance certifications.
Infrastructure and Endpoint Security / Access Control
Lightspeed keeps our network safe and secure against unauthorized access.
We are constantly enforcing measures to keep Lightspeed’s network safe and secure. Such measures include system monitoring, logging, alerting, and Distributed Denial-of-Service (DDoS) protection.
To protect Lightspeed from unauthorized access via remote devices, company-issued devices are configured, updated, and tracked by endpoint management solutions. By default, Lightspeed workstations are equipped with data encryption, firewalls, and strong passwords and endpoint protection.
We also centrally manage access to Lightspeed’s network and applications, enforce multi-factor authentication, and continuously audit access to follow the principle of least privilege. Privileges are assigned on a need-to-know basis and are revoked when a job role changes or employment ceases.
Lightspeed protects data in transit and at rest using strong encryption protocols.
Lightspeed hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls of our infrastructure providers are audited for SOC 2 Type 2, ISO 27001, PCI DSS, GDPR, FIPS 140-2, NIST 800-717, etc.
System Monitoring and Incident Management
Lightspeed uses advanced security tools to maintain a secure environment for our Merchants’ data. We monitor threat intelligence and alerts to preempt attacks and protect our systems. When we discover a security incident, our incident response team acts quickly to identify, mitigate, and resolve the issue according to our incident response plan.
If we become aware of unlawful access to Merchant data stored within our products, we will notify the affected Merchant, provide a description of the steps we are taking to resolve the incident, and provide status updates as necessary.
We routinely scan our code and deployments for vulnerabilities and misconfigurations to ensure our Services and Merchant data are protected.
Additionally, Lightspeed has a public bug bounty program to enable researchers to test our products and encourage responsible disclosure of security issues. We also engage third parties to conduct annual external and internal penetration testing.
The security team maintains policies and standards to help Lightspeed meet our service commitments to Merchants. These policies and standards are reviewed annually and are shared internally with team members.
Security Awareness Training
Lightspeed prioritizes the ongoing security education of its employees.
We take a comprehensive approach to security awareness to ensure that employees are well-versed in best practices. Our employees complete security awareness training when first hired and take refresher courses annually. We also engage employees in ongoing discussions about the latest security threats and how to address them. This approach keeps employees informed and empowers them to actively participate in data protection.