Introduction
When evaluating software for your organization, ensuring it meets both functional requirements and security standards is critical. The process can often feel overwhelming, especially when navigating the myriad of questions and controls that need to be addressed. That’s where the PassKit Software Evaluation Checklist comes in.
This comprehensive guide is designed to simplify the evaluation process by addressing the most common questions and security controls that organizations encounter. Whether you’re assessing usability, scalability, or compliance with industry standards, this checklist provides a structured framework to help you make informed decisions.
In this article, we’ll walk you through the key areas of focus, from security protocols to operational efficiency, ensuring you have the tools and insights needed to thoroughly evaluate the PassKit platform—or any software solution—with confidence.
Business
Does PassKit solve any needs or problems?
Yes. PassKit solves several key needs and problems for your business:
Enhanced Customer Engagement: It enables your business to create and distribute engaging digital passes for loyalty programs, events, promotions, and more, fostering stronger customer relationships
Improved Customer Experience: Digital passes provide a seamless and convenient experience for customers, eliminating the need for physical cards or paper tickets.
Increased Efficiency: PassKit streamlines the process of issuing and managing passes, reducing operational costs and manual effort.
Data-Driven Insights: It provides valuable data on pass usage and customer behavior, allowing your business to optimize marketing campaigns and loyalty programs.
Modernization of Loyalty and Marketing: PassKit helps your business modernize its loyalty and marketing strategies by embracing mobile-wallet technology.
Does PassKit improve or add any new capabilities?
Yes. PassKit improves and adds several new capabilities:
Mobile Wallet Integration: It allows your business to leverage the power of Apple Wallet and Google Wallet, reaching your customers directly on their mobile devices.
Real-Time Updates: PassKit enables real-time updates to digital passes, ensuring customers always have the latest information.
Personalized Experiences: It facilitates the creation of personalized passes tailored to individual customer preferences and behaviors.
Location-Based Notifications: It enables location-based notifications, delivering relevant messages to customers at the right time and place.
Enhanced Analytics: It provides analytics on pass install, offering deeper insights into customer behavior.
Does PassKit add/augment existing capability?
Yes. PassKit augments and enhances your business's existing capabilities:
Loyalty Programs: It complements and strengthens existing loyalty programs by providing an additional digital channel for rewards, offers, and communication.
Marketing Campaigns: It amplifies marketing campaigns by enabling the distribution of digital loyalty cards, coupons, event tickets, and promotional passes.
Customer Relationship Management (CRM): It integrates with CRM systems to provide a more holistic view of customer interactions.
Event Management: It simplifies event management by providing digital tickets and passes for seamless entry and engagement.
Technology
Does PassKit depend on any existing software / application within our business?
No. PassKit is a standalone platform and does not depend on any existing software or application, but it can be integrated with existing your business systems for enhanced functionality.
Optional Integrations: Integrations with CRM systems, loyalty platforms, and marketing automation tools can enhance the value of PassKit. These integrations are typically achieved through APIs.
Standalone Operation: PassKit can also be used independently without requiring any specific existing software within your business.
Does PassKit provide integration with existing tools and technologies within our business?
PassKit is designed with integration in mind. We offer a robust set of APIs and webhooks that allow seamless integration with various systems your business may already be using, such as CRM, marketing automation platforms, point-of-sale systems, and loyalty programs.
What integration protocols and standards are supported for real time/synchronous integrations?
For real-time/synchronous integrations, we recommend and primarily support gRPC for its efficiency and performance. We also provide RESTful APIs with JSON payloads for flexibility and compatibility with a wider range of systems. We support standard HTTP methods (GET, POST, PUT, DELETE) and adhere to industry best practices for API design. We also support webhooks for real-time notifications of events within the PassKit platform.
Refer to this article for more information.
What integration protocols and standards are supported for batch/asynchronous integrations?
For batch/asynchronous integrations, we support common file formats like CSV and JSON for data import and export.
What is the technology stack and architecture of the PassKit application?
PassKit leverages a modern, cloud-native architecture designed for scalability, reliability, and security. Our platform is built on a combination of Google Cloud Platform (GCP) and Amazon Web Services (AWS) to provide a robust and performant service.
Key Components:
Google Cloud Platform (GCP):
Compute: We utilize Google Kubernetes Engine (GKE) for container orchestration, running our microservices in pods.
Networking: We employ a Virtual Private Cloud (VPC) with a Google Cloud L4 Load Balancer to distribute traffic. Nginx L7 Ingress controllers manage incoming requests at the application layer. VPC Egress manages the traffic going out of the VPC.
Data Storage: Google Cloud SQL is used for our relational database needs.
Messaging and Event Processing: Google Cloud Pub/Sub handles asynchronous messaging and real-time data streaming. Google Cloud Functions are used for serverless, event-driven processing.
Content Delivery: Google Cloud CDN is used to deliver content quickly and efficiently to users around the globe.
Amazon Web Services (AWS):
Front-End Delivery: Our front-end web application is served through AWS, utilizing Amazon S3 for storage and Amazon CloudFront for content delivery.
Email delivery: Amazon SES is used for Pass Distribution via email (optional service).
Microservices Architecture:
Our platform is built using a microservices architecture, allowing for independent scaling and deployment of individual components.
Security:
We employ robust security measures throughout our stack, including encryption at rest and in transit, access controls, and regular security assessments.
Architecture Overview:
User Access: Users access the PassKit portal platform through our web application, which is delivered via AWS CloudFront and S3.
API Requests: API requests are routed through the Google Cloud L4 Load Balancer and Nginx L7 Ingress controllers.
Microservices Processing: Requests are processed by our microservices running in GKE pods.
Data Storage and Messaging: Microservices interact with Google Cloud SQL for data storage and Google Cloud Pub/Sub for asynchronous messaging.
Event-Driven Processing: Google Cloud Functions are used for event-driven tasks.
Content Delivery: Static content is delivered via Google Cloud CDN.
Email Delivery of Passes: Amazon SES is used for Pass Delivery (optional).
This architecture allows PassKit to provide a highly scalable, reliable, and secure platform for issuing and managing digital wallet passes.
Is PassKit cloud based (native, hosted)?
PassKit is a cloud-native application, fully hosted on Google Cloud Platform. This provides us with the benefits of scalability, reliability, and security inherent in GCP's infrastructure.
Does PassKit support HTTPS connectivity for services/APIs?
Yes. Security is paramount. All communication with PassKit's services and APIs is strictly over HTTPS, ensuring data encryption and protection. We enforce TLS 1.2 or higher for secure connections.
Describe the response times for APIs, Services and the web app
We strive to provide excellent performance and reliability. With gRPC, we can achieve very low latency and high throughput, leading to faster response times. Our APIs typically respond within milliseconds. We offer SLAs based on the service tier, with guaranteed uptimes and response times. Specific SLA details can be provided upon request and tailored to your business's requirements. Our web application is optimized for speed and efficiency, delivering fast page load times.
Refer to this article for more information.
What different browsers are supported for the web app and mobile?
Our web application (app.passkit.com) is designed to be compatible with all modern browsers, including Chrome, Firefox, Safari, and Edge.
Are you aware of any incompatibilities that PassKit might have with any specific hardware, OS version, or mobile devices?
PassKit Portal
app.passkit.com (web application for designing and managing pass template)
For optimal experience when managing your PassKit account and configuring passes, we recommend using the PassKit portal on a desktop or laptop computer. This ensures full access to all features and a more efficient workflow for pass design and management.
Pass Delivery
For the delivery and installation of your digital passes, PassKit employs intelligent device detection. When your customer visits a Pass URL, our system automatically detects the device they are using (iOS, Android or Desktop). We then present the pass in the best format for seamless addition to the relevant mobile wallet app – Apple Wallet or Google Wallet. This ensures a smooth and user-friendly experience for your customers, regardless of the device they are using to access the pass.
Does PassKit require any customizations to cater to our business needs? How easy is it to perform? Who is the owner for customization?
While PassKit is designed to be highly configurable, some customizations might be needed to perfectly align with your business's specific workflows and branding. We offer a flexible platform and APIs, including gRPC interfaces, that allow for easy customization. You will own the customization development. However, PassKit is committed to supporting your team throughout the process. We offer comprehensive documentation, and our expert support team is available for any questions you may have and can provide code reviews during your customization development to ensure best practices and a smooth integration.
Disaster Recovery
Does PassKit support 99.95% availability?
PassKit is designed to meet and exceed 99.95% availability. Our infrastructure is built on Google Cloud Platform, which provides robust reliability and redundancy. We utilize multiple availability zones and regions to ensure continuous service even in the event of hardware failures or regional outages. We also have comprehensive monitoring and alerting systems in place to quickly identify and resolve any potential issues. Our current performance and historical uptime are transparently available at status.PassKit.com.
How is the DR managed ? Does it require additional installation, deployment or management within our business?
Disaster Recovery (DR) is a core component of our service and is fully managed by PassKit. We leverage Google Cloud Platform's built-in DR capabilities, including automated backups, replication, and failover mechanisms. This ensures that in the event of a disaster, we can quickly restore our services with minimal data loss. No additional installation, deployment, or management is required from your business. Our DR strategy is designed to be transparent and seamless, ensuring business continuity without impacting your operations.
What is the RTO and RPO for this application?
Recovery Time Objective (RTO):
Our target RTO is within 1 hour. We have automated failover procedures in place to minimize downtime and quickly restore service availability.
Recovery Point Objective (RPO):
Our target RPO is also within 1 hour. We utilize continuous data replication and backups to minimize data loss.
Data
What are the classifications of data within PassKit?
Data within PassKit is classified based on its sensitivity and usage. Generally, we categorize data as:
Public Data: Information that is intended for widespread distribution, such as generic pass templates or publicly available marketing materials.
Internal Data: Data used for operational purposes, such as system logs, performance metrics, and internal configurations.
Customer Data: Information related to your customers, including pass details, usage data, and potentially personal information. This data is further classified based on its sensitivity.
What is the minimum set of data needed from our business to make PassKit function successfully?
The minimum data required to issue and manage passes are Pass Template, Pass Type ID and Pass Data.
1.Pass Template:
This is the foundational structure of a digital pass. It contains pass template / pass design data:
Visual elements: Logos, colors, images.
Layout: Field placement.
Static text: Field labels (e.g., "Name," "Certificate Number"), and any fixed, unchanging information.
2. Pass Type ID (Certificate):
This uniquely identifies the pass issuer and used to cryptographically sign the pass.
Issuer information: Details about your business as the issuer.
3. Pass Data:
This holds the dynamic, personalized information for each individual pass. It primarily consists of:
Customer Identifiers - Unique values that distinguish one pass from another (e.g., name, loyalty number).
Any data that changes from one issued pass to the next.
You are responsible for determining what specific customer identifiers, and therefore Pass Data, they want to appear on their passes.
In summary:
The pass template defines the "what" (appearance).
The pass type ID defines the "who"(issuer).
The pass data provides the "who specifically" (individual customer).
How is the data received and fed back into our business. What are the data access mechanisms (following the security standards)
How is the data received and fed back into our business? What are the data access mechanisms?
Data is received and fed back into your business through secure APIs (gRPC preferred, REST available).
APIs: We use industry-standard authentication and authorization mechanisms to control data access. All API communication is over HTTPS.
File Transfers: Secure file transfers are encrypted in transit and at rest.
Data Access Mechanisms: Access to data within PassKit is strictly controlled based on the principle of least privilege. We use role-based access control (RBAC) to ensure that only authorized personnel can access sensitive data.
How is the data governance and access managed within PassKit?
Data governance and access are managed through a combination of technical controls and organizational policies:
Technical Controls:
Data encryption at rest and in transit.
Audit logs to track data access and modifications.
Organizational Policies:
Data retention policies to ensure data is not stored longer than necessary.
Incident response procedures to address security breaches.
Regular security assessments and penetration testing.
How does PassKit support the audition of data access policies including internal and external audit teams?
PassKit provides comprehensive audit logs that track all data access and modifications. These logs can be used by internal and external audit teams to verify compliance with data access policies. We can also provide reports and documentation related to our security controls and data governance practices.
How is PassKit administered?
All administrative activities are performed over secure protocols.
Web-based Administration: Our administrative interface is accessible via HTTPS, ensuring encrypted communication.
API Access: Administrative APIs also require HTTPS and authentication.
Infrastructure Management: Our infrastructure is managed using secure protocols like SSH with key-based authentication.
What data fields are required for PassKit that are categorized as sensitive?
The specific sensitive data fields required depend on the use case. However, generally, any data that can be used to identify an individual or that is considered confidential would be classified as sensitive. This may include:
Personally Identifiable Information (PII): Names, email addresses, phone numbers, loyalty program IDs.
Financial Information: If passes involve payments or loyalty points, financial data would be considered sensitive.
Location Data: If passes track user location, this data would be treated as sensitive.
Security
Does PassKit support SSO out of the box with leading SSO integrators (e.g., Ping)?
PassKit does not currently offer out-of-the-box support for Single Sign-On (SSO) with integrators like Ping. We rely on our own authentication and authorization mechanisms. However, we are open to discussing potential integration options or future roadmap considerations based on specific client needs and volumes.
How is the access control managed in PassKit? Do you support Active Directory (AD)?
While we don't have direct AD integration, our API access is secured through API key with secret. All communication is encrypted using TLS 1.2+, and we implement robust rate limiting to prevent abuse. API keys and passwords are securely stored. Additionally, access to the PassKit Portal (web application) is secured via unique username and password.
What users need access to PassKit within our business?
Users requiring access to PassKit would typically include:
Your Marketing and Loyalty Teams: For creating and managing pass templates.
Your Development Teams: For integrating PassKit with other systems and managing technical aspects.
How is the authentication and authorization supported by PassKit. Does it have multi level role based security measures?
Authentication within PassKit is handled through secure API key with secret for API access and unique usernames and passwords for the web portal. All communication is encrypted using TLS 1.2+ to ensure data security. Authorization is currently based on permissions tied to each API key or user account. While we do not currently have multi-level role-based access control, we implement robust security measures like rate limiting and secure credential storage.
Does PassKit meet all Security Standards for our business?
PassKit is committed to meeting high security standards. We have implemented various security measures, including data encryption, access controls, and regular security assessments.
Does PassKit involve handling PCI / Payment information?
PassKit does not directly handle PCI/Payment information. Our platform focuses on the creation and distribution of digital passes, not payment processing. If your business integrates PassKit with a payment gateway, they are responsible for ensuring PCI compliance for that specific integration.
Support
Who supports PassKit including customization, fixes, patches required after the go live?
PassKit provides comprehensive support for our platform.
Customization: While your business owns the customization development, PassKit offers support, documentation, and code reviews during the process.
Fixes & Patches: PassKit is responsible for providing fixes and patches for the core PassKit platform. We have a dedicated engineering team that addresses issues and releases updates.
Post Go-Live Support: We offer ongoing support after go-live, ensuring smooth operation and addressing any issues that may arise.
Does it require specialized skill set or managed services or professional services?
PassKit is designed for ease of use as a Software as a Service (SaaS) platform.
Day-to-day operations: Using PassKit for routine tasks typically requires no specialized technical skills. Our platform is built with a user-friendly interface.
Customization and Integration: If you require advanced customizations or integrations, especially those leveraging our APIs (gRPC preferred, REST available), development expertise may be necessary. We provide comprehensive documentation and online support to enable you to implement these integrations independently.
Managed Services: PassKit handles all underlying infrastructure management, security, and platform updates. As a SaaS provider, we ensure a reliable and secure environment, allowing you to focus on your core business. We do not offer professional services, but we provide the tools and support needed for self-service implementation.
Does the day to day use or support require any additional training?
We provide comprehensive documentation and training materials to help your team become proficient with PassKit. We also offer training sessions and on-demand consultation to address specific needs.
What are the different levels of support?
PassKit provides support options tailored to your requirements:
Standard Support (Included):
Access to online documentation and email support with a 24 hour response.
Premium Support (US$195/hour):
For advanced needs, including in-depth reviews, best practice consultation, and engineering support.
Do you provide services like training, documentation, customer service, on-demand consultation/support?
We provide a full suite of services, including:
Comprehensive Documentation: Detailed guides, API references, and tutorials. (help.passkit.com)
Customer Service: Email support. (support@passkit.com)
On-Demand Consultation/Support: Expert advice and assistance when needed. (optional US$195/hour)
Do you have scheduled maintenance releases? Does it always comply backward compatibility?
Yes, we have scheduled maintenance releases to improve performance, add features, and address security vulnerabilities. We strive to maintain backward compatibility with our releases to minimize disruption. However, in rare cases, breaking changes might be necessary. In such instances, we provide ample notice and migration guidance.
Quality
Do you provide QA support for the functionality you build?
PassKit rigorously tests all new features, updates, and bug fixes to our platform. We follow a comprehensive testing process to ensure the stability, reliability, and security of our service before releasing any changes to our customers. This includes functional testing, performance testing, security testing, and regression testing. We are committed to providing a high-quality, dependable platform for all our customers.
What kind of test documentation do you provide?
While we don't provide detailed internal test documentation to clients, we offer the following:
API Documentation: Comprehensive documentation for our APIs, including example requests and responses, which can serve as a form of functional specification.
Status Page: Real-time information on the health and availability of our platform (status.PassKit.com).
What's your exit criteria for new functionality?
Our exit criteria for new functionality include:
Successful Completion of Testing: All test cases must pass, including functional, performance, security, and regression testing.
Code Review Approval: Code must be reviewed and approved by our engineering team.
Performance Targets Met: New functionality must meet our performance and scalability requirements.
Security Compliance: New features must adhere to our security policies and standards.
Documentation Updated: Release notes and API documentation must be updated.
What is the process and approach to adding test data to your system if it's required?
As a SaaS platform, PassKit maintains test data for its core functionality. For testing your business's specific integrations and customizations, you will utilize your own dedicated test data within their PassKit account. This ensures accurate testing of their unique configurations and data flows.
Infrastructure
Does PassKit require hardware and infrastructure provisioning within our business?
PassKit does not require any hardware or infrastructure provisioning within your business. As a Software as a Service (SaaS) platform, PassKit is fully hosted and managed on Google Cloud Platform. Your business accesses PassKit through our APIs and web-based interface, eliminating the need for any on-premise infrastructure.
Does PassKit support SaaS model with high availability?
PassKit is a SaaS platform designed for high availability. We leverage the robust infrastructure of Google Cloud Platform, including multiple availability zones and regions, to ensure continuous service. We have implemented redundancy and failover mechanisms to minimize downtime. You can check our current status at status.PassKit.com.
Does PassKit support lower environments/sandboxes?
PassKit does not provide separate lower environments/sandboxes in the traditional sense. However, we offer the ability to create multiple projects within your PassKit account. This allows you to effectively create development and testing spaces within your account. You can configure and test your integrations and customizations in these separate projects without impacting your production project. This approach provides a flexible and controlled environment for development and testing.
Are environments unique to each customer or shared, physically and logically? Are platform versions and features managed independently for each customer, or shared?
Logical Separation: While PassKit operates on a multi-tenant architecture, each customer's data and configurations are logically isolated. We use robust access controls and data partitioning to ensure data security and privacy.
Shared Physical Infrastructure: The underlying physical infrastructure is shared, leveraging the scalability and efficiency of Google Cloud Platform.
Shared Platform Versions and Features: Generally, platform versions and features are shared across all customers. This ensures that everyone benefits from the latest updates and improvements. However, we may offer specific feature flags or configurations for select customers based on their needs.
Are there separate environments for Dev/QA and Production? Ability to copy configurations from one system to the other?
We understand that separate development, QA, and production environments are critical for a robust deployment process. Although PassKit doesn't offer fully isolated environments out-of-the-box, you can effectively achieve this separation by utilizing multiple projects within your account. For instance, you can create 'Development,' 'QA,' and 'Production' projects.
To simplify configuration migration between these projects, we offer the following:
API-Based Configuration Management: Our comprehensive APIs allow you to export and import configurations, enabling you to promote changes from development to QA and then to production in a controlled manner.
Best Practice Guidance: We recommend establishing clear naming conventions and version control practices for your configurations within each project. This will help you maintain a clear audit trail and prevent accidental overwrites.
This approach provides a flexible and scalable solution for managing your deployment workflow. If you have any specific configuration migration needs, our support team is available to assist you.
Monitoring
Describe the monitoring capabilities of the software.
PassKit prioritizes platform health and performance through continuous, comprehensive monitoring. Our system, leveraging Google Cloud Platform's robust monitoring tools, tracks critical metrics to ensure optimal operation. These metrics include:
API Response Times: We meticulously monitor latency and throughput across all API endpoints. You can view real-time API response times on our publicly accessible status page: status.PassKit.com.
Error Rates: We track the frequency and nature of errors to proactively identify and resolve potential issues.
System Resource Utilization: We monitor CPU, memory, and disk usage to ensure efficient resource allocation and prevent performance bottlenecks.
Service Availability: We continuously verify platform accessibility and responsiveness.
Pass Issuance and Updates: We monitor the success and performance of pass operations to ensure smooth user experiences.
To provide full transparency, we maintain a dedicated status page at status.PassKit.com. This page offers real-time insights into the platform's health, including detailed API response time information, enabling you to stay informed about our service performance.
Does PassKit provide detailed multi-level configurable logs?
PassKit generates detailed logs at multiple levels. These logs include:
Application Logs: Recording events and errors within the application.
API Logs: Tracking API requests and responses.
Audit Logs: Recording data access and modifications for security and compliance purposes.
While we don't provide direct access to raw logs, we can provide aggregated reports and insights based on these logs as needed. We are also open to discussing specific logging requirements with your business.
Does PassKit produce automated alerts for failures, proactive warnings etc?
Yes, our monitoring system is configured to generate automated alerts for:
Failures: Notifying our team of critical errors and outages.
Proactive Warnings: Alerting us to potential issues before they impact service.
Performance Thresholds: Notifying us when performance metrics exceed predefined thresholds.
This allows us to quickly respond to issues and maintain the reliability of our platform.
Performance
What are the performance benchmarks by capability?
Our performance benchmarks vary depending on the specific capability. However, we strive to provide:
Low API Latency: Our APIs are designed to respond within milliseconds.
High Throughput: We can handle a large volume of requests and pass operations.
Scalability: Our platform can scale to meet the demands of large-scale campaigns and events.
How elastic in nature is PassKit to scale horizontally or vertically?
PassKit is highly elastic and can scale both horizontally and vertically.
Horizontal Scaling: We utilize Google Kubernetes Engine (GKE) to automatically scale our application based on demand. This allows us to add more resources as needed to handle increased traffic or load.
Vertical Scaling: We can also scale our infrastructure vertically by increasing the resources (CPU, memory) allocated to our servers.