Security

Your attendees' trust is the product

geteventriX is built for organizations that answer to legal, finance, and their attendees. Here's exactly how we protect the data you put in the platform.

GDPRCCPAPCI DSS L1TLS 1.3AES-256SOC 2 (in progress)
๐Ÿ”

Encryption everywhere

AES-256 encryption at rest for all customer data; TLS 1.3 for every connection in transit. Payment credentials never touch our servers โ€” they are tokenized by the gateway.

๐Ÿงพ

PCI DSS Level 1

Card processing is delegated entirely to certified processors (Nexpay, Stripe, PayPal). geteventriX stores no PANs, CVVs, or magnetic-stripe data โ€” only gateway tokens and settlement references.

๐Ÿ‡ช๐Ÿ‡บ

GDPR & CCPA

Data export, right-to-be-forgotten workflows, consent management, and EU data residency. Signed DPAs available for all EU customers, with sub-processor transparency.

๐Ÿช

Signed webhooks & API

Every webhook is signed with HMAC-SHA512 and verified with constant-time comparison. API access uses scoped keys with per-tier rate limits and full audit trails.

๐Ÿ‘ค

Access control

Role-based permissions (admin/manager/staff/viewer), SSO via SAML and OAuth on Enterprise, mandatory 2FA options, session management, and device tracking.

๐Ÿฐ

Infrastructure

Multi-AZ PostgreSQL with point-in-time recovery, daily encrypted backups, DDoS mitigation at the CDN edge, and isolated tenants with row-level security.

Operational practices

Vulnerability management
Automated dependency scanning on every build; critical patches deployed within 24 hours.
Penetration testing
Independent third-party penetration tests twice per year; reports available under NDA.
Audit logging
Every privileged action โ€” refunds, exports, role changes, suspensions โ€” is written to an immutable audit log.
Incident response
24/7 on-call rotation, public status page, and customer notification within 72 hours as required by GDPR.
Data retention
Configurable retention policies per organization; attendee PII is anonymized in analytics after events complete.
Employee access
Production access is least-privilege, MFA-enforced, and reviewed quarterly. Support access requires customer consent.

Security review for your procurement team?

We're happy to complete security questionnaires, share pen-test summaries, and sign DPAs. Typical turnaround is three business days.

Contact security team โ†’