Trust Center

Our Merchants are data controllers of the personal data they collect through our Services (as defined in our Data Processing Agreement). Lightspeed acts as a data processor for our Merchants and our Data Processing Agreement governs our processing of personal data on our Merchants’ behalf.

Lightspeed is a data controller of personal data that we collect directly. This includes personal data about our Merchants, Partners, and visitors to our websites, and consumers that engage directly with us, such as golfers using Chronogolf or consumers using Order Anywhere. Our Privacy Policy and our Privacy Statement for Consumers set out our practices with respect to this data.

Lightspeed may transfer to, and store personal data in countries other than the country in which the data was originally collected, including destinations outside the EU. For transfers to countries that are not covered by a European Commission adequacy finding, we rely on the latest Standard Contractual Clauses incorporated into our Data Processing Agreement. We have incorporated the International Data Transfer Addendum for Merchants established in the UK.

Lightspeed is also certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. Please see our Privacy Policy for more information.

We have implemented a range of technical and organizational measures to safeguard personal data. These measures are designed to maintain the ongoing confidentiality, integrity, and availability of our products and Services. For more detail, please refer to the Security section of our Trust Center.

Lightspeed processes personal data for as long as it is reasonably needed to fulfill the purposes for which we collected it. Our retention term can be longer if we are required to keep the personal data longer on the basis of applicable law or to administer our business.

Where you have the right to request its deletion, we will delete your personal data in accordance with and upon receipt of written instructions from you to this effect, unless we are legally required to keep it. You may choose to do this in the event you terminate your agreement for the Services.

Lightspeed engages sub-processors to assist us in delivering our Services. We have data processing agreements in place with these sub-processors to protect the personal data they process and we ensure they commit to the same level of data protection and privacy standards that we commit to our merchants.

Our sub-processor list is available here.

Lightspeed will not disclose Merchant data to public authorities without a valid warrant, subpoena, court order, or equivalent legal process. If we receive a disclosure request, we will notify Merchants to the extent permitted by applicable law and make reasonable efforts to narrow the scope of the request if the scope appears overly broad.

Depending on your location and subject to applicable law, you may have the right to request access, correction, and deletion of your personal data.

If you have purchased something from one of our Merchants, please reach out to that Merchant directly about your data rights request.

If you are a Lightspeed Merchant, you may submit a request to exercise any of your data rights by filling out this online form.

Lightspeed employs an experienced team of information security experts. The following descriptions provide an overview of the technical and organizational security controls that Lightspeed maintains to protect and secure all Merchant data.

Lightspeed undergoes regular independent audits of our security controls to ensure they meet global standards.

Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is the global security standard for protecting payment card information. Lightspeed does not store, process, or transmit any cardholder data. We rely on PCI compliant third party service providers to handle transactions. This is attested by a PCI Qualified Security Assessor (QSA) yearly.

Copies of our attestations of compliance are linked below:
PCI AoC for R-Series, X-Series, C-Series, K-Series, G-Series, L-Series, O-Series, Payments
PCI AoC for E-Series
PCI AoC for U-Series
PCI AoC for B2B

System and Organization Controls (SOC)
Certain Lightspeed products are audited yearly for SOC 2 compliance. This audit certifies that controls governing security, availability, processing integrity, confidentiality, and privacy is designed appropriately to safeguard Merchant data.

For SOC 2 reports, please see our contact information to request a copy.
SOC 2 Type I: R-Series, X-Series, C-Series, K-Series, L-Series, O-Series, U-Series, Payments
SOC 2 Type II: B2B

Lightspeed keeps our network safe and secure against unauthorized access.

We are constantly enforcing measures to keep Lightspeed’s network safe and secure. Such measures include system monitoring, logging, alerting, and Distributed Denial-of-Service (DDoS) protection.

To protect Lightspeed from unauthorized access via remote devices, company-issued devices are configured, updated, and tracked by endpoint management solutions. By default, Lightspeed workstations are equipped with data encryption, firewalls, and strong passwords and endpoint protection.

We also centrally manage access to Lightspeed’s network and applications, enforce multi-factor authentication, and continuously audit access to follow the principle of least privilege. Privileges are assigned on a need-to-know basis and are revoked when a job role changes or employment ceases.

Lightspeed protects data in transit and at rest using strong encryption protocols.

Lightspeed hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls of our infrastructure providers are audited for SOC 2 Type 2, ISO 27001, PCI DSS, GDPR, FIPS 140-2, NIST 800-717, etc.

Lightspeed uses advanced security tools to maintain a secure environment for our Merchants’ data. We monitor threat intelligence and alerts to preempt attacks and protect our systems. When we discover a security incident, our incident response team acts quickly to identify, mitigate, and resolve the issue according to our incident response plan.

If we become aware of unlawful access to Merchant data stored within our products, we will notify the affected Merchant, provide a description of the steps we are taking to resolve the incident, and provide status updates as necessary.

We routinely scan our code and deployments for vulnerabilities and misconfigurations to ensure our Services and Merchant data are protected.

Additionally, Lightspeed has a public bug bounty program to enable researchers to test our products and encourage responsible disclosure of security issues. We also engage third parties to conduct annual external and internal penetration testing.

The security team maintains policies and standards to help Lightspeed meet our service commitments to Merchants. These policies and standards are reviewed annually and are shared internally with team members.

Lightspeed prioritizes the ongoing security education of its employees.

We take a comprehensive approach to security awareness to ensure that employees are well-versed in best practices. Our employees complete security awareness training when first hired and take refresher courses annually. We also engage employees in ongoing discussions about the latest security threats and how to address them. This approach keeps employees informed and empowers them to actively participate in data protection.