Effective Date: Jan 11, 2022 Security Summary

As the steward of your and your clients' valuable data, we understand that keeping this data safe and secure is of utmost importance. In this document we summarize the various aspects of our security posture.

  1. Hosting
    • All systems are hosted on Amazon AWS virtual private cloud (VPC) infrastructure. AWS provides a highly secure, PCI Level 1 compliant hosting infrastructure that hosts all Effective Registration production infrastructure components.
  2. System Administration
    • System administrators access the system via the Amazon AWS console and via a secure bastion host that allows access to our admin server. In all cases, administrators use multi-factor authentication to access online systems.
  3. Application Architecture
    • Applications are written in Java and deployed in a multi-zone cluster using the AWS autoscaling group facility. All data is stored in PostgreSQL databases. The application is divided into tiers (load-balancer, application server, and database), each in its own security group with deny-by-default access rules.
  4. PCI Compliance
    • Our hosting provider, Amazon AWS, is PCI Level 1 compliant.
    • All sensitive cardholder data and payment information is submitted in hosted payment fields that originate directly from Stripe's PCI DSS validated servers.
    • For more information about PCI standards please visit https://www.pcisecuritystandards.org/
    • For limitations affecting use of forms see Terms of Use Section XX, PCI Compliance
  5. GDPR Compliance
    • Effective Registration is GDPR compliant. Our application solicits data subject consent during registration and allows event planners and administrators to generate data reports and delete subject data upon request.
  6. Software Development Practice
    • Our software development practice features regular code reviews, and developers must follow our Secure Coding Practices policy to ensure software is developed in a secure fashion.
    • Our source code and build systems are hosted on GitLab. All developers are required to use multi-factor authentication to access the GitLab, and are required to password-protect the SSH private keys used to access source code via Git.
  7. Data Encryption
    • All customer data in transit across public networks is protected using TLS 1.2. Our certificates are issued by Amazon AWS.
    • Customer data at rest in the database and backups is protected using the encryption facilities of Amazon RDS and Amazon S3, respectively.
  8. Backups and Disaster Recovery
    • Effective Registration applications are deployed in clusters that span multiple availability zones (i.e. data centers). Functionality will continue to be available in the event of an outage of a particular availability zone.
    • Our PostgreSQL databases are configured in an active/warm standby configuration across availability zones using PostgreSQL streaming replication.
  9. Identity and Access Management
    • Effective Registration user accounts are stored in the database. Passwords are hashed with BCrypt using 12 rounds.
    • Each client user account may be designated as a primary user, in which case they may manage other user accounts for the client. User accounts may be granted fine-grained access on a per-event basis.
    • Multi-factor authentication is available using a TOTP soft token application such as Google Authenticator.
    • We do not yet support single sign-on with client systems.
  10. Email
    • All transactional email is delivered via the Amazon SES service. We use SPF and DKIM features to maximize email deliverability. Our application offers email read and bounce tracking.
    • Effective Registration's email service is CAN-SPAM and CASLA compliant. Recipients may opt out of email at any time.