Log in Request a demo

Returnly’s Statement on Security


You put a lot of trust in Returnly when engaging with your shoppers. Ensuring our platform remains secure is vital to protecting our own data, and protecting your information is our highest priority.

Our security strategy covers all aspects of our business, including:

  • Returnly corporate security policies
  • Physical and environmental security
  • Operational security processes
  • Scalability & reliability of our system architecture
  • Data model access control in Returnly
  • Systems development and maintenance
  • Service development and maintenance
  • Regularly working with third party security experts


Returnly Corporate Security Policies & Procedures

Every Returnly employee signs a Data Access Policy that binds them to the terms of our data confidentiality policies, and Returnly.com/privacy. Access rights are based on the employee’s job function and role.

SOC 2 (Type 1)

Returnly has successfully completed its SOC 2 (Type I) audits for controls relevant to security, availability, and confidentiality. This means that an independent third party has both validated our processes and practices with respect to these three trust services criteria and confirmed our ability to maintain compliance with the controls we’ve implemented.

Security in our Software Development Lifecycle

Returnly uses the git revision control system. Changes to Returnly’s code base go through a suite of automated tests and go through a round of manual review. When code changes pass the automated tests, the changes are first pushed to a staging server wherein Returnly employees are able to test changes before an eventual push to production servers and our customer base. We also have a specific security review for particularly sensitive changes and features. Returnly engineers also have the ability to “cherry pick” critical updates and push them immediately to production servers.

We also work with third-party security professionals to:

  • Test our code for common exploits
  • Use network scanning tools against our production servers


Security at the Returnly office

Our office is secured via keycard access which is logged, and visitors are recorded at our front desk.

We monitor the availability of our office network and the devices on it. We collect logs produced by networking devices such as firewalls, DNS servers, DHCP servers, and routers in a central place. The network logs are retained for the security appliance (firewall), wireless access points, and switches.


Returnly Architecture & Scalability

Scalability/Reliability of Architecture

Returnly uses Amazon Web Services (RDS & S3) to manage user data. The database is replicated synchronously so that we can quickly recover from a database failure. As an extra precaution, we take regular snapshots of the database and securely move them to a separate data center so that we can restore them elsewhere as needed, even in the event of a regional Amazon failure.

Encrypted Transactions

Web connections to the Returnly service are via TLS 1.1 and above. We support forward secrecy and AES-GCM, and prohibit insecure connections using TLS 1.0 and below or RC4.


Returnly Information Security

Employee Workstations, Laptops, & Mobile Devices

All laptops and workstations are secured via full disk encryption and centrally managed. We diligently apply updates to employee machines and monitor employee workstations for malware. We also have the ability to apply critical patches and remote wipe a machine.

Data Center Security

Amazon employs a robust physical security program with multiple certifications. For more information on Amazon’s physical security processes, please visit aws.amazon.com/security.


Product Features

Administrator Management Features

  • Authentication – Returnly administrators can force employees to authenticate via Google Accounts. If passwords are stored directly with Returnly, we secure them using salted bcrypt.
  • User Management – Administrators can see Last Activity, Guest/Member status, and deprovision users from a central administration interface.

User Features

  • Privacy, Visibility, & Role Settings – Customers determine who can access different categories of data like returns, analytics, and billing.



Privacy Policy

Returnly’s privacy policy, which describes how we handle data input into Returnly, can be found at Returnly.com/privacy.


We are committed to making Returnly consistently available to you and your teams. Our systems have built-in redundancy to withstand failures and are constantly monitored to keep your work uninterrupted. You can always monitor our availability at our system status page.

Want to report a security concern?

Email us at security@Returnly.com.