POLICY OVERVIEW

Eventlify Security & Compliance

Information security and privacy is built into Eventlify’s growth, mission, and vision. We regularly perform vulnerability scanning, penetration testing, access control, encryption and data privacy measures. Eventlify’s information security programs are upheld by the AICPA’s Trust Services Criteria of security.

We are tirelessly committed to protection of your data and your privacy. Eventlify’s information security and privacy controls are detailed below.

Have questions or feedback? Feel free to reach out to us at security@eventlify.com
  

Data protection

Eventlify is committed to protecting your privacy. We ensure data protection through several controls. All of this data is encrypted and protected by access control measures and alerting and monitoring systems. Eventlify offers SSO integration to ensure users are securely authenticated. Eventlify does not sell customer data to any third parties.

All data is encrypted in transit and at rest to ensure protection of your data and privacy

• Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). You can see our SSLLabs report here.
• Encryption at rest: All our user data (and backups) is encrypted using AES-256 key encryption.

Employee access to the environment in which customer data is stored is granted on a least permissions basis, highly restricted, and monitored.

• Access is granted exclusively for troubleshooting, functionality, and security purposes.
• All activity in Eventlify’s cloud environment is monitored. Intrusion detection and prevention systems are also in place.
• All our employees sign a Non-Disclosure and Confidentiality Agreement when joining the company to protect our customers' sensitive information.

Alongside Eventlify’s infrastructure-based protection measures, we provide users with authentication and SSO integration capabilities.

• We provide a 2-factor authentication mechanism to protect our users from account takeover attacks. Setting up this extra security measure is optional but highly recommended to increase the security of sensitive data.
• We protect our users against data breaches by monitoring and blocking brute force attacks.
• Single sign-on (SSO) is offered for our enterprise customers.
• Role-based access control (RBAC) is offered on enterprise accounts.

All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider.

• Eventlify does not collect any payment information and is therefore not subject to PCI obligations. Smart Privacy Screen may be enabled if your users intend to use Eventlify for systems that may potentially display PCI data.

Infrastructure

Eventlify’s infrastructure is hosted in Amazon Web Services (AWS) in SOC 2 Type II and ISO 27001 compliant data centers. Eventlify has backup data center regions to ensure high availability.

All our hosted services run in the cloud. Our cloud environment is protected by intrusion detection and prevention systems with alerting and monitoring in place. We do not host or run our own routers, load balancers, DNS servers or physical servers. We use Amazon Web Services (AWS) and have no physical infrastructure or physical access to the servers themselves. Our production databases are on Amazon RDS and S3. AWS provides strong security measures to protect our infrastructure and are compliant with most certifications.

Data retention and removal

Eventlify has indefinite data retention by default to allow for compliance with an array of customer retention needs. Data is deleted immediately and securely upon request.

Users may request to have their data deleted at any time by writing to support@eventlify.com. Please allow 30 days to process your request.

Business continuity and disaster recovery

We back up all our critical assets and regularly run backup restores to guarantee fast recovery in case of disaster. All our backups are encrypted for data protection.

Eventlify has redundant data center zones in place with failover capabilities to ensure availability of services and data. Eventlify’s RTO is 8 hours and RPO is 24 hours, providing quick restoration of services in the event of an outage and minimal to no data loss.

Responsible disclosure & security testing

We encourage everyone to practice responsible disclosure and comply with our policies and terms of service.

Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them.

You can report vulnerabilities by contacting security@eventlify.com. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.

Coverage

• *.eventlify.com

Exclusions

• app.eventlify.com
• auctions.eventlify.com
• support.eventlify.com
• shop.eventlify.com

Eventlify will accept findings for investigation concerning the below categories of vulnerabilities:

• Cross-Site Scripting (XSS)
• Open redirect
• Cross-site Request Forgery (CSRF)
• Command/File/URL inclusion
• Authentication issues
• Code execution
• Code or database injections

This program does NOT include:

• Logout CSRF
• Account/email enumerations
• Denial of Service (DoS)
• Attacks that could harm the reliability/integrity of our business
• Spam attacks
• Clickjacking on pages without authentication and/or sensitive state changes
• Mixed content warnings
• Lack of DNSSEC
• Content spoofing / text injection
• Timing attacks
• Social engineering
• Phishing
• Insecure cookies for non-sensitive cookies or 3rd party cookies
• Vulnerabilities requiring exceedingly unlikely user interaction
• Exploits that require physical access to a user's machine