Security & Compliance
We strive to have an industry-leading information security & compliance program. In order to achieve that, along with the technical controls, we are also committed to ensuring that our employees have the required knowledge and training.
Compliance
General Data Protection Regulation (GDPR)
European Economic Area-origin personal data is processed and stored on the basis of the Standard Contract Clauses, as amended by the Commission of the European Union, and we employ appropriate, and industry standard, technical, contractual, and organizational supplementary measures.
California Consumer Privacy Act (CCPA)
EventPlatform has updated the necessary internal procedures and processes to comply with CCPA.
Cookies Page
When you visit our website, we and our service providers collect certain data using tracking technologies like cookies and web beacons.
European Economic Area-origin personal data is processed and stored on the basis of the Standard Contract Clauses, as amended by the Commission of the European Union, and we employ appropriate, and industry standard, technical, contractual, and organizational supplementary measures.
California Consumer Privacy Act (CCPA)
EventPlatform has updated the necessary internal procedures and processes to comply with CCPA.
Cookies Page
When you visit our website, we and our service providers collect certain data using tracking technologies like cookies and web beacons.
Infrastructure & Development
Data Centers
The DEEP Platform product is based on logical architectures, with primary data centers run by in Hetzner Online datacenters located in the Germany, EU.
EventPlatform does not own the hardware located in these data centers. Instead, our provider is responsible for the security of the underlying cloud infrastructure (IaaS / PaaS), while EventPlatform is responsible for controls and configurations beginning at the operating system layer.
DEEP Platform product
A multi-tenant, cloud-based application, the DEEP Platform is engineered for high
scalability, reliability, security, and performance. All elements of the platform are tested regularly. The platform is microservice-based and is deployed on top of orchestration.
Encryption
Data in transit is encrypted using TLS 1.2 and 1.3, while data at rest is encrypted using AES-256. Access to databases is also encrypted asymmetrically.
Each EventPlatform's customer’s data is hosted within a dedicated environment.
Network Security
EventPlatform divides its platform into separate network groups to better protect data. Network security protections are designed to prevent unauthorized network access to and within the internal product infrastructure.
Within the infrastructure, internal network restrictions allow a many-tiered approach to ensuring only the appropriate types of devices can communicate with each other. Intrusion Detection / Intrusion Prevention (IDS/IPS) solutions are deployed, with near real-time alerts in place that indicate and alert for any suspicious or uncommon activity.
We also use industry-leading solution for geo-cashing (CDN - Content Delivery Network) and WAP (Web Application Firewall) with help of Cloudflare Services.
Secure Development & Change Management
EventPlatform has a formalized development and change management process in place, which requires identification and recording of significant changes, assessment of risk and the potential effect of such modifications, approval of proposed changes, and testing of changes to verify operational functionality. Proposed changes are evaluated to determine if they present a security risk and what mitigating actions, including employee and user entity notifications must be performed.
The EventPlatform secure development methodology includes project planning, design, testing, implementation, maintenance, and disposal or decommissioning. Changes to infrastructure and software are developed and tested in a separate development or test environment before release to production. Additionally, to ensure reviews and approvals are required, controls are in place before code is pushed to the production environment.
Access to the source code management tool is restricted to those with a business need for access. On a quarterly basis, access to the source code management tool is reviewed to ensure accuracy.
As part of the development process, static code analysis is also performed.
The DEEP Platform product is based on logical architectures, with primary data centers run by in Hetzner Online datacenters located in the Germany, EU.
EventPlatform does not own the hardware located in these data centers. Instead, our provider is responsible for the security of the underlying cloud infrastructure (IaaS / PaaS), while EventPlatform is responsible for controls and configurations beginning at the operating system layer.
DEEP Platform product
A multi-tenant, cloud-based application, the DEEP Platform is engineered for high
scalability, reliability, security, and performance. All elements of the platform are tested regularly. The platform is microservice-based and is deployed on top of orchestration.
Encryption
Data in transit is encrypted using TLS 1.2 and 1.3, while data at rest is encrypted using AES-256. Access to databases is also encrypted asymmetrically.
Each EventPlatform's customer’s data is hosted within a dedicated environment.
Network Security
EventPlatform divides its platform into separate network groups to better protect data. Network security protections are designed to prevent unauthorized network access to and within the internal product infrastructure.
Within the infrastructure, internal network restrictions allow a many-tiered approach to ensuring only the appropriate types of devices can communicate with each other. Intrusion Detection / Intrusion Prevention (IDS/IPS) solutions are deployed, with near real-time alerts in place that indicate and alert for any suspicious or uncommon activity.
We also use industry-leading solution for geo-cashing (CDN - Content Delivery Network) and WAP (Web Application Firewall) with help of Cloudflare Services.
Secure Development & Change Management
EventPlatform has a formalized development and change management process in place, which requires identification and recording of significant changes, assessment of risk and the potential effect of such modifications, approval of proposed changes, and testing of changes to verify operational functionality. Proposed changes are evaluated to determine if they present a security risk and what mitigating actions, including employee and user entity notifications must be performed.
The EventPlatform secure development methodology includes project planning, design, testing, implementation, maintenance, and disposal or decommissioning. Changes to infrastructure and software are developed and tested in a separate development or test environment before release to production. Additionally, to ensure reviews and approvals are required, controls are in place before code is pushed to the production environment.
Access to the source code management tool is restricted to those with a business need for access. On a quarterly basis, access to the source code management tool is reviewed to ensure accuracy.
As part of the development process, static code analysis is also performed.
Organizational Security
Security Policies
EventPlatform’s policies and procedures are made available to all staff via a policy management system. The security policies and related processes in place at EventPlatform incorporate the following areas of control:
➔ Data classification and business impact assessment
➔ Selection, documentation, and implementation of security controls
➔ Assessment of security controls
➔ User access authorization and provisioning
➔ Removal of user access
➔ Monitoring of security controls
➔ Security management
Personnel
As part of the onboarding process, where applicable, all new EventPlatform personnel (e.g., employees, contractors, interns, etc.) are required to sign an NDA and pass a background check.
An information security & compliance onboarding presentation is reviewed with all personnel upon hire to explain processes, controls, and expectations. Web-based information security & compliance training is also assigned as part of onboarding, and on an annual basis. Every quarter, phishing campaigns are conducted using a third-party solution to ensure that personnel are aware of social engineering risks and how to identify them.
Additionally, at least annually and upon hire, all personnel are required to review and acknowledge applicable policies and procedures based on job role and function, as well as complete information security and privacy web-based training modules.
Access Management
To minimize the risk of data exposure, EventPlatform adheres to the principle of role-based least privilege access. Privileged access requests must be submitted using our internal ticketing system and include a business justification and manager’s approval.
Every quarter, privileged access is reviewed to ensure accuracy. When personnel are moved between roles or terminate their relationship with EventPlatform, a formal offboarding process is initiated, with physical and logical access removed within 24-hours.
Incident Management
EventPlatform established policies and procedures for responding quickly to all security and privacy events. Our approach is we first determine the exposure of the information and determine the source of the security or privacy issue. We will communicate promptly by using in-product messaging, email, and our status page to affected customers. We will also provide periodic updates as needed to ensure the appropriate resolution of any incident.
Any concerns or incidents can be reported to:
➔ security@eventplatform.lv
➔ privacy@eventplatform.lv
Monitoring, Logging & Alerting
EventPlatform invests in automated monitoring, alerting, and response systems to address potential issues continuously. Our systems will alert applicable internal stakeholders regarding error rates, unexpected activity, memory issues, etc.
Our system captures and stores logs from the application level, such as logins (success and failed), page visits, actions, modifications, and more. Logs are protected from changes.
Endpoint Protection
Our endpoint workstations are protected using commercial enterprise-grade antivirus/malware protection with centralized logging and monitoring. All assets are subject to full-disk encryption using Filevault, are password-protected, and auto-lock when idle, requiring re-authentication to unlock.
Endpoints are managed using agent-based services, which allow the ability to add/remove applications, deploy/change configurations, web-filtering, removable storage restrictions, as well as to remotely wipe/lock the asset.
Risk Assessment
EventPlatform regularly reviews the risks that may threaten the achievement of its service commitments and system requirements. This is done through regular meetings with appropriate personnel responsible for the processes, procedures, and controls.
Additionally, reviewing and acting upon any security event logs, performing vulnerability assessments, and conducting a formal annual information security risk assessment in conjunction with the company-wide risk assessment.
Independent third parties are engaged annually to conduct application-level (to mobile, web, and APIs) and infrastructure-level penetration tests (black, grey, and white-box). Results of these assessments are shared with the applicable internal staff, and if needed, an actionable plan of remediation is discussed and executed according to requirements outlined in policy.
EventPlatform’s policies and procedures are made available to all staff via a policy management system. The security policies and related processes in place at EventPlatform incorporate the following areas of control:
➔ Data classification and business impact assessment
➔ Selection, documentation, and implementation of security controls
➔ Assessment of security controls
➔ User access authorization and provisioning
➔ Removal of user access
➔ Monitoring of security controls
➔ Security management
Personnel
As part of the onboarding process, where applicable, all new EventPlatform personnel (e.g., employees, contractors, interns, etc.) are required to sign an NDA and pass a background check.
An information security & compliance onboarding presentation is reviewed with all personnel upon hire to explain processes, controls, and expectations. Web-based information security & compliance training is also assigned as part of onboarding, and on an annual basis. Every quarter, phishing campaigns are conducted using a third-party solution to ensure that personnel are aware of social engineering risks and how to identify them.
Additionally, at least annually and upon hire, all personnel are required to review and acknowledge applicable policies and procedures based on job role and function, as well as complete information security and privacy web-based training modules.
Access Management
To minimize the risk of data exposure, EventPlatform adheres to the principle of role-based least privilege access. Privileged access requests must be submitted using our internal ticketing system and include a business justification and manager’s approval.
Every quarter, privileged access is reviewed to ensure accuracy. When personnel are moved between roles or terminate their relationship with EventPlatform, a formal offboarding process is initiated, with physical and logical access removed within 24-hours.
Incident Management
EventPlatform established policies and procedures for responding quickly to all security and privacy events. Our approach is we first determine the exposure of the information and determine the source of the security or privacy issue. We will communicate promptly by using in-product messaging, email, and our status page to affected customers. We will also provide periodic updates as needed to ensure the appropriate resolution of any incident.
Any concerns or incidents can be reported to:
➔ security@eventplatform.lv
➔ privacy@eventplatform.lv
Monitoring, Logging & Alerting
EventPlatform invests in automated monitoring, alerting, and response systems to address potential issues continuously. Our systems will alert applicable internal stakeholders regarding error rates, unexpected activity, memory issues, etc.
Our system captures and stores logs from the application level, such as logins (success and failed), page visits, actions, modifications, and more. Logs are protected from changes.
Endpoint Protection
Our endpoint workstations are protected using commercial enterprise-grade antivirus/malware protection with centralized logging and monitoring. All assets are subject to full-disk encryption using Filevault, are password-protected, and auto-lock when idle, requiring re-authentication to unlock.
Endpoints are managed using agent-based services, which allow the ability to add/remove applications, deploy/change configurations, web-filtering, removable storage restrictions, as well as to remotely wipe/lock the asset.
Risk Assessment
EventPlatform regularly reviews the risks that may threaten the achievement of its service commitments and system requirements. This is done through regular meetings with appropriate personnel responsible for the processes, procedures, and controls.
Additionally, reviewing and acting upon any security event logs, performing vulnerability assessments, and conducting a formal annual information security risk assessment in conjunction with the company-wide risk assessment.
Independent third parties are engaged annually to conduct application-level (to mobile, web, and APIs) and infrastructure-level penetration tests (black, grey, and white-box). Results of these assessments are shared with the applicable internal staff, and if needed, an actionable plan of remediation is discussed and executed according to requirements outlined in policy.
