Security

Eventzilla’s customers trust us to handle registration, payment and engagement data for thousands of events worldwide. Safeguarding that information is a foundational obligation, woven into every layer of our infrastructure, our software-development lifecycle and the operational processes that govern day-to-day activities.
Our approach aligns with established industry frameworks while remaining flexible enough to incorporate new best-practice recommendations as the threat landscape evolves.

Cloud Infrastructure

All production workloads operate within Amazon Web Services data centres that maintain internationally recognised accreditations, including ISO 27001, SOC 1 & SOC 2 (Type II) and PCI DSS. Resources are deployed exclusively in mutiple US regions ensuring predictable data residency and latency characteristics.
Logical isolation boundaries—implemented via virtual private networks, access-control lists and security groups—create defence-in-depth layers that separate sensitive components from publicly addressable interfaces. Infrastructure is provisioned and updated through streamlined processes, allowing application of consistent hardening policies across fleets while retaining the ability to perform rapid, repeatable rollbacks when needed.

Encryption

Eventzilla secures data in transit with SSL/TLS, enforcing TLS 1.2 or higher for all external connections and confining traffic to segmented VPC networks inside the cloud environment. Data at rest—including primary datastores, snapshots and object-storage objects—is protected with AES-256 encryption. Cryptographic keys are held in the AWS Key Management Service (KMS) and access to those keys is restricted through tightly scoped IAM roles.

Identity & Access Management

Role-based access control enforces the principle of least privilege by granting employees only the permissions necessary for their duties. Administrative entry points require multi-factor authentication coupled with hardware-backed SSH keys, and password complexity is managed via centrally enforced policies. Regular access reviews confirm that entitlements remain appropriate, and dormant credentials are disabled automatically after a defined period of inactivity.

Monitoring & Alerting

A unified observability stack aggregates system metrics, application logs and security events into a real-time analytics pipeline. Automated detectors apply baseline comparisons, anomaly detection and threshold alerts, ensuring that unusual patterns surface promptly to the on-call engineering team. Audit trails capture configuration changes and significant user actions, supplying forensic context if an investigation is required.

Vulnerability Management

Eventzilla maintains a structured vulnerability-management programme. Code and infrastructure components are periodically assessed for known weaknesses, and remedial work is prioritised according to generally accepted risk-scoring frameworks. Independent testing is commissioned from time to time to validate that mitigations remain effective and that controls operate as intended.

Change Management Controls

All modifications to source code and system configuration move through a controlled release process that combines peer review, automated checks and formal approval steps. Deployment activities are logged and time-stamped, and each release can be traced back to the originating change request to support accountability and forensic analysis when required.

Business Continuity & Disaster Recovery

Key data assets are backed up on a routine schedule and stored in a logically separate environment. Documented recovery procedures describe how critical services would be restored in the unlikely event of a major disruption, and periodic exercises verify that personnel and processes remain ready to execute those procedures.

Incident Response

Eventzilla operates an incident-response framework that assigns roles, escalation paths and communication channels for handling security events. If a Personal-Data Breach is confirmed, containment and investigation activities commence promptly and affected Organizers are informed without undue delay, enabling them to meet any notification obligations of their own.