Trust Center

Our Merchants are data controllers of the personal data they collect through our Services (as defined in our Data Processing Agreement). Lightspeed acts as a data processor for our Merchants and our Data Processing Agreement governs our processing of personal data on our Merchants’ behalf.

Lightspeed is a data controller of personal data that we collect directly. This includes personal data about our Merchants, Partners, and visitors to our websites, and consumers that engage directly with us, such as golfers using Chronogolf or consumers using Order Anywhere. Our Privacy Policy and our Privacy Statement for Consumers set out our practices with respect to this data.

Lightspeed may transfer to, and store personal data in countries other than the country in which the data was originally collected, including destinations outside the EU. For transfers to countries that are not covered by a European Commission adequacy finding, we rely on the latest Standard Contractual Clauses incorporated into our Data Processing Agreement. We have incorporated the International Data Transfer Addendum for Merchants established in the UK.

Lightspeed is also certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. Please see our Privacy Policy for more information.

We have implemented a range of technical and organizational measures to safeguard personal data. These measures are designed to maintain the ongoing confidentiality, integrity, and availability of our products and Services. For more detail, please refer to the Security section of our Trust Center.

Lightspeed processes personal data for as long as it is reasonably needed to fulfill the purposes for which we collected it. Our retention term can be longer if we are required to keep the personal data longer on the basis of applicable law or to administer our business.

Where you have the right to request its deletion, we will delete your personal data in accordance with and upon receipt of written instructions from you to this effect, unless we are legally required to keep it. You may choose to do this in the event you terminate your agreement for the Services.

Lightspeed engages sub-processors to assist us in delivering our Services. We have data processing agreements in place with these sub-processors to protect the personal data they process and we ensure they commit to the same level of data protection and privacy standards that we commit to our merchants.

Our sub-processor list is available here.

Lightspeed will not disclose Merchant data to public authorities without a valid warrant, subpoena, court order, or equivalent legal process. If we receive a disclosure request, we will notify Merchants to the extent permitted by applicable law and make reasonable efforts to narrow the scope of the request if the scope appears overly broad.

Depending on your location and subject to applicable law, you may have the right to request access, correction, and deletion of your personal data.

If you have purchased something from one of our Merchants, please reach out to that Merchant directly about your data rights request.

If you are a Lightspeed Merchant, you may submit a request to exercise any of your data rights by filling out this online form.

Lightspeed employs an experienced team of information security experts. The following descriptions provide an overview of the technical and organisational security controls that Lightspeed maintains to protect and secure all Merchant data.

Lightspeed undergoes regular independent audits to validate that our security controls meet global industry standards.

Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is the international standard for protecting cardholder information. Lightspeed does not store, process, or transmit cardholder data. All payment transactions are handled by PCI-compliant third-party service providers, independently assessed each year by a Qualified Security Assessor (QSA).

Copies of our attestations of compliance can be found in https://trust.lightspeedhq.com/

Copies of our attestations of compliance are linked below:
PCI AoC for R-Series, X-Series, C-Series, K-Series, G-Series, L-Series, O-Series, Golf, B2B(NuORDER), Payments
PCI AoC for E-Series
PCI AoC for U-Series

System and Organization Controls (SOC)
Certain Lightspeed products are audited yearly for SOC 2 compliance. This audit certifies that controls governing security, availability, processing integrity, confidentiality, and privacy is designed appropriately to safeguard Merchant data.

For SOC 2 reports, please see our contact information to request a copy.

SOC 2 Type II: R-Series, X-Series, C-Series, E-Series, K-Series, L-Series, O-Series, U-Series, Payments, Golf
SOC 2 Type II: NuORDER

Our SOC 3 report, based on the AICPA’s Trust Services Criteria, provides a publicly available summary of our security controls and commitments. It offers transparency into our security posture without revealing sensitive details.

Copies of our SOC3 report are linked below:
SOC 3 Report: NuORDER by Lightspeed
SOC 3 Report: Lightspeed Commerce (R-Series, X-Series, C-Series, E-Series, K-Series, L-Series, O-Series, U-Series, Golf and Payments)

Copies of our attestations of compliance can be found in https://trust.lightspeedhq.com/

Lightspeed protects its network through multiple layers of technical safeguards, including continuous monitoring, logging, alerting, and Distributed Denial-of-Service (DDoS) protection.

Company-issued devices are centrally managed, regularly updated, and monitored through endpoint management solutions. Workstations are encrypted by default and equipped with firewalls, strong passwords, and endpoint protection.

Access to Lightspeed systems is centrally governed, enforces multi-factor authentication, and is reviewed continuously to ensure alignment with the principle of least privilege. Access rights are granted on a need-to-know basis and removed when roles change or employment ends.

Lightspeed uses strong encryption to protect data both in transit and at rest.

Our product infrastructure is hosted on multi-tenant, outsourced providers whose physical and environmental controls maintain certifications such as SOC 2 Type II, ISO 27001, PCI DSS, GDPR, FIPS 140-2, and NIST frameworks.

Lightspeed leverages advanced monitoring tools to protect Merchant data and detect potential threats. Our security team reviews alerts, tracks threat intelligence, and takes proactive measures to prevent attacks.

If a security incident occurs, our incident response team follows documented procedures to investigate, mitigate, and resolve the issue. Should unauthorized access to Merchant data be identified, affected Merchants are notified along with remediation steps and ongoing updates.

Lightspeed routinely performs vulnerability scanning across codebases and deployments to ensure our Services remain secure.

We operate a public bug bounty program to encourage ethical research and responsible disclosure. Additionally, third-party firms conduct annual internal and external penetration testing.

Our security team maintains formal security policies and standards that support Lightspeed’s service commitments. These documents are reviewed at least annually and shared internally with all relevant team members.

Lightspeed places strong emphasis on employee security education.

All employees complete mandatory security awareness training upon hire and annually thereafter. We supplement training with ongoing communication about emerging security threats and best practices, empowering employees to actively contribute to data protection.