Where is data processed by Walleett hosted?

Data is hosted exclusively in Europe, in ISO 27001-certified datacenters, in compliance with GDPR requirements. No data is transferred to servers outside the European Union.

Is Walleett GDPR-compliant?

Yes. Walleett acts as a data processor under GDPR: your customers' data remains under your responsibility as data controller. Walleett provides a DPA (Data Processing Agreement) that contractually governs this relationship, and applies the principles of data minimization, defined retention periods, and the right to erasure.

How is data protected technically?

Walleett uses AES-256 encryption for data at rest and TLS 1.3 for data in transit. Access to infrastructure is protected by multi-factor authentication. Security logs are retained and auditable.

Is Walleett an official partner of Apple and Google for pass issuance?

Yes. Walleett is registered with the Apple Developer Program and the Google Wallet Issuer Program. These accreditations allow the issuance of legitimate PKPass (Apple) and Google Wallet Objects, using either your own brand certificates or Walleett's, depending on your preference.

Security & Compliance: GDPR, EU Hosting, AES-256

Hosting & Infrastructure

Your data hosted in Europe.

All databases containing your end customers' information, along with the critical pass generation and update services, are hosted in France and within the European Union, with established market providers.

🇫🇷

Application & pass generation

AWS, Paris region (eu-west-3).

📦

File & certificate storage

AWS S3, European infrastructure.

🗄️

Business databases

MongoDB and PostgreSQL, European hosting.

🛠️

Backoffice & internal services

VM hosted in Europe.

Our hosting providers hold the market's highest certifications (ISO 27001, SOC 2 Type II), guaranteeing the quality of their data centers, physical and logical monitoring, and operational continuity.

Personal data protection

GDPR data processor, by design.

Under GDPR, Walleett acts as a data processor within the meaning of Article 28. Customers (the brands, retailers, or event organizers) remain the data controllers for the data they entrust to us. We process that data strictly according to their instructions, and solely to deliver the subscribed service.

Our contractual commitment

Every client receives a Data Processing Agreement (DPA) that formalizes our role as data processor, governs the conditions of processing, and sets out the mutual commitments in accordance with Article 28 of the GDPR.

Data processed

Walleett processes only the data our clients send us to generate and manage their passes. The exact nature of that data depends on the configuration chosen: opaque identifiers, personalization variables (first name, loyalty number, points...), or technical identifiers required by Apple and Google Wallets.

Individual rights

Rights of access, rectification, erasure, and portability are exercised with the data controller (the brand or retailer that owns the customer relationship). Walleett provides the necessary technical capabilities (member deletion, data export).

Security architecture

Protection at multiple layers.

Walleett's technical security is built on proven mechanisms and industry-recognized standards. Here are the main safeguards in place.

🔒

Encryption at rest

Apple Wallet and Google Wallet certificates are encrypted with AES-256-GCM, using keys derived uniquely per client (strict cryptographic isolation between tenants).

🔐

Encryption in transit

All communications use TLS, with HSTS enforced in production. Communications with Apple Push Notification Service use TLS encryption with certificate-based authentication.

🔑

Strong authentication

Passwords and API secrets hashed with bcrypt at a high cost factor (never stored in plain text). Sessions managed via JWT with automatic expiration.

🛡️

API access control

Each API key is scoped per brand and can be restricted to an IP range. Rate limits are configurable and enforced at the individual key level.

🚦

Attack protection

Progressive rate limiting by IP on repeated authentication failures. Automatic temporary blocking to limit brute-force attempts.

✍️

Protected pass URLs

Each pass download URL is signed with HMAC-SHA256, guaranteeing authenticity and preventing any tampering.

Retention & Lifecycle

Every piece of data has a defined lifespan.

In accordance with the GDPR data minimization principle, we retain data only for as long as strictly necessary to deliver the service. Our retention policy differentiates data by type and purpose.

♾️

Business data (members, passes, audiences)

Retained as long as the client actively uses it. Deletable at any time on request, through a multi-step technical procedure (revocation on Apple's side, deletion on Google's side, file and database erasure).

📋

Technical audit logs

API access and operations retained for a maximum of 12 months, then automatically deleted.

⏱️

Temporary technical data

Jobs, quotas, notification events purged automatically according to short retention periods (from 48 hours to 30 days depending on type).

📊

Billing data

Retained for 10 years in compliance with French accounting and tax obligations.

End-user IP addresses are not retained. IP addresses from API calls are logged in technical audit logs for 12 months for security and abuse detection purposes, then automatically deleted. Location information used for contextual features (country, city) is derived in memory and is not persisted.

Wallet platform compliance

A governed partnership
with Apple and Google.

Walleett is officially registered with the Apple Developer Program and the Google Wallet Issuer Program. Our architecture meets the requirements imposed by both platforms.

Certificate management

Walleett offers two certificate management modes for Apple Wallet and Google Wallet:

Delegated mode - You use Walleett's certificates for a fast start, with no administrative steps required from Apple or Google (available only for smaller organizations with low pass volumes)
Sovereign mode - You use your own certificates issued by Apple and Google, keeping full ownership of your pass issuer identity.

International transfers

Since Apple and Google are US companies, pass generation and distribution operations involve transferring certain data to their servers in the United States. These transfers are governed by the EU-US Data Privacy Framework, of which Apple and Google are signatories, ensuring a level of protection equivalent to European GDPR. The precise terms are included in our DPA, provided to each client.

Technical sub-processors

A carefully selected chain of partners.

To deliver our service, Walleett relies on a limited number of technical sub-processors selected for their reliability, regulatory compliance, and security posture. The full list of our sub-processors, with their purposes, jurisdictions, and contractual guarantees, is provided to our clients on request.

Any addition or change of sub-processor is notified to our clients under the terms set out in their Data Processing Agreement, in accordance with Article 28 of the GDPR.

Request the sub-processor list

Availability & Continuity

A service built to stay up.

Walleett's high availability relies on our hosting providers' infrastructure and on an architecture designed for resilience.

💾

Automatic backups

Databases are backed up automatically by our hosting providers, with restore points that allow rollback in the event of an incident.

🏗️

Resilient architecture

Critical services (pass generation, notifications, updates) run on a serverless, distributed architecture designed to absorb traffic spikes.

👀

Continuous monitoring

Our infrastructure is monitored around the clock to detect and address any anomaly quickly.

Security & GDPR compliance:
our commitments