Eventbrite Security & Safety Guide
PCI Compliant
Eventbrite complies with PCI-DSS 3.2.1 Level 1 as both a Merchant and a Service Provider.
- Registered with both Visa and MasterCard as a PCI-compliant Service Provider.
- Regularly audited by a Qualified Security Assessor (Coalfire, Inc.)
- Passes internal and external application and network penetration testing performed by independent security firms.
- Scanned monthly by an Approved Scanning Vendor (ASV).
- PCI Attestation of Compliance (AOC) is available for download.
- Eventbrite employs a cross-functional team responsible for oversight of PCI Compliance.
SOC Compliant
- Eventbrite Systems and Organization Controls (SOC) Reports are independent third-party examination reports that demonstrate how Eventbrite achieves key compliance controls and objectives.
- Eventbrite SOC 3 Security, Availability & Confidentiality Report, available for Download.
Compliance Documents
The following documents are available to the public. Applicability to your environment needs to be assessed / approved by your auditors.
Privacy
Eventbrite maintains a comprehensive privacy program. To us, this means that although we are required by law or regulation to do certain things, we are continually evaluating whether we can and do more.
- We do not sell the personal information of our customers to third parties.
- We have a full time legal and security team focused on privacy and security issues.
- We participate in and comply with the EU-U.S. Privacy Shield Framework. You can find out more about our commitment to the EU-U.S. Privacy Shield Framework in our EU-US Privacy Shield Notice.
- You can find our privacy policy at: eventbrite.com/privacypolicy.
Hosting Environment
Amazon EC2 hosts Eventbrite's production systems.
- PCI-DSS Level 1 Service Provider
- ISO 27001 certified
- Independently verified and audited
- SAS-70 Type II and SSAE16
- Amazon AWS PCI Compliance site
Web and Mobile Application Development
Eventbrite is committed to designing, building, and maintaining secure systems.
- All applications are regularly scanned for common security vulnerabilities including the OWASP Top Ten.
- Regular training on Secure Coding Practices is provided. All engineers must attend training sessions.
- No credit card information is permitted to be stored on any mobile device.
- Use of encryption for both storage and transmission of sensitive information is regularly audited by the Eventbrite Security Team.
- All web and mobile applications are primarily developed, tested, deployed, and maintained by a full-time, in-house engineering team.
Encryption
Eventbrite uses strong encryption methods and key management procedures to ensure your sensitive information is protected.
- All credit card information is encrypted with strong industry-standard cryptographic protocols such as AES and TLS while in transit through our systems.
-
End of
Translation Eventbrite's website and APIs are accessible via a 256-bit SSL certificate issued by Digicert. - Credit card information is never stored after transaction authorization.
- Access to encryption keys is held by the smallest number of Eventbrite employees possible.
Our Organization
Eventbrite has taken appropriate measures to vet our employees.
- All employees are subject to reference, education, and other personnel checks. Certain employees are also subject to detailed background checks.
- Eventbrite maintains an information security training program that meets PCI-DSS standards and complies with the Massachusetts Privacy Law (201 CMR 17).
- Knowledgeable full-time security personnel are on staff.
- Require written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.
Incident Response
While we don't anticipate there ever being a breach of our systems, we know that no computer system is perfectly secure.
- In the event of a breach of an Eventbrite information system, we have a detailed Incident Response plan in place.
- Periodic testing of the response plan.
- Eventbrite has 24x7 monitoring of its security systems and alerts.
Research and Disclosure
If you discover a vulnerability with Eventbrite's information systems, report it to us first!
- Do not attempt to harm Eventbrite, its users, or customer's data.
- Allow reasonable time for Eventbrite to resolve the issue before publishing findings publicly.
- Report details to security@eventbrite.com.
- Check for eligibility on the Security Reporting FAQ
- Include full details and steps to reproduce.
- Recognition by listing on the Eventbrite Security Wall of Fame
- If you wish to encrypt your email, use Eventbrite Security's GPG Key:
Key ID: 351AC626 Key Type: RSA Key Size: 4096 Fingertprint: 1809 8001 2CFF E338 E92D 8723 9CA7 08B5 351A C626 Email: security@eventbrite.com -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBE/iLWUBEADEkM+z/Oa2hBdiHKeDmeFdLlum5d0YGDKA75SWZ/MDlgC+sXZQIwrx9pVPkWjzWANoBsfdd5rq277UlO+TIzcegSmX/8qOQ7lkAhQCt6IFNS2JsTqizof94pNCr5EU0Be3FZHwqRfgSjqNH8zqlOoHNIgVCVpwfhIt08pGxQ8HsYVzZeWgymMbSURNB4qe6tUxsiW+/z+LmGUHhlKrcYgpsCJwofuRihgJ47D/SvkmnjHE8CpNVXgSOe/OxGkd/AbnYU+67d2p2GSlA4g3F0WLhT5W05zpcKI3RNOzaVeMo/xaVlBchmYMst0JhmIo39MTdtzNe4zzgslMrv4zqhVSMjoOa2H527asY3wB39nuyHMuNjwaEHQTnTnOqcFq8UhCe1B0LsvrUeH+1LVajcnd6X+uIww5a+3yKbJdJvEHvEOjGgrdrsAyMU89GG2JCduH/ZZq4rueZ1VH6NRpZNzda22EsVQNqFYLI840yVbzgEpNrQyD95Uj72KL59v8F7sFdQbxiAUlBCrRSzaDHn3N4FFj9PzHhBjlOFAcKcTQda0k3Q0pidwqSMIE65ES2Ykeo4/KVofAALOuyAbjX25r+7TkbJSne/fqtRIe5dymdg9r/QBnZTJfJMLNsBtxr79KNuA744COXZlzTQ4qdAtUSoVTLn79I1MJSf8wqvuh5QARAQABtCpTZWN1cml0eSBDb250YWN0IDxzZWN1cml0eUBldmVudGJyaXRlLmNvbT6JAjgEEwECACIFAk/iLWUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJynCLU1GsYm1U0P/3T4MRl2BctVhVouuV90LpPhwhGear9yoVXM0bgZnTmITVRKQOD7cnxrXUKAhMd3AootFBpQ9L5+0sW4PtzwNhHzqt5PBChuiG/IVWWU5WxxrjBG4jb3xQ1MKxQFGj/sJboHXlPIAt3bDap39RxJggROJMqswHZj4xH60z/z31b5khoKUr4mK56xZviU3nDuVvR4J/hJ8o7R94nf7NidsgQSjNLWhGcGibj9XpVvE7l7YKG3vj+oSJ6pgBUzXN27xl9OamraIEwlJk8kPHlBGyZcew6n2shfG8mGF8Xv/XsZHTvebUJVZO1fZhIjNtT9ZBrRdN9v7YIEzyFyxAfoDgE95RZbV0H2Kgl5h5sHRx2ldRfmywm1tRx7FrTJRLUe8UXdTAZqgkRMp9x47VjYaiqLOAn9C6twgFl11rAARc9XJETsWTZm0RD6v6PljJgSuQWVsiKZGy6ir2e7+gxcPccbbUbij+YwWam0ymwfgMnTpHFKpGUdkBk4Y8iXucUJ/V4mKYmH5OFkG/2PIwdhkdpPj1slqU8pu5PrSFgY2lcKqq192gr7MvLJARVUGq3jElnhOgNB3cP0Eg7v0KoU0Bsuq4pDqfHpgE+uYMBkXW09uu6PDZVDpyEJbFxbpjIlqFej2kOM3yGDzOhRXNPFyAQmv72XqeGN37nqLx11WLR5uQINBE/iLWUBEADHcje1FAyryLoDVozWf8vV9snX99lpH8tUtSQOYA+4JUOjODm5OA0mzs4nlQun4Mn9QTl1A6g7bIrxE4rZeAvCyE27tqyyHUSDjs6j2ur5S9oDcRo2k44+0C7rGirjBLetZ3axQ15DP4FKPOE1Hs5EewhthiZkQ9DwbS1iXZjH2cPUPjwH+KVNP+L/TM7dWqLcqW/f5Eu0MxgQWajmkBqX2k1HTRmsYeKUqRZ8/7gr7gkbro5t0qbn8wPiJR2fIzN40ky9T705obM+AxcnLAGwJ/T/Y1zoEiECLC97t1om7V0cYQn4h0fqnuVJLGF/uMLW5hPp+2sOVuY5lPJS6zU5c+jRl/L6Xcbou5kuYW+v9RWc+ubfVer/qAW7LNnk4ILr+2YVQMBeMZqF04YSRrCe8IuzP/JDAssKKSWE/tEUMwnSr6m9MBF54RERIJk4zJ6jwIJTF532X0Z7Doi0trHKeHQGIiAzF4t4JBvei1b9B10eWy1XASu3DL4s0zfDck1Fozk8f1N3RqNfWi9eIO27AlGbjLGXiQCe8S7PIuIvNcYSSsxmsfz0bcldsKeVpEd+Iij3BD/orkXYcpypYQ4M6MsibtvtJti6jQUwsJghLxSdqKM8xsN1k+ojJi1VizguoYs245vmUjwqglGDQukzh+KVcF97rA5A4ZJ8KFkgiwARAQABiQIfBBgBAgAJBQJP4i1lAhsMAAoJEJynCLU1GsYmnXkQAKcPGqAgmWe5wLjfBde4gG8O2OSr33eu4vmkWRKQ6kLrl2DDHR4sv4P7tZZ/YFG/IZlOEBplTVlOvxzfW6IEuEajhw2DoXh2sO3de4soUli8M1XzceV+k5h+ZXt/7shNEoslMfdss1D84FGH33dUOzkgM6mUv2PfluoKOw47PeYAQPc4PuvkIiXBI0TGClRD47gyZRtegpg4lt5IaOTj6XhyTbOGHC0GsxC3IAELRbpj6r6yNfQn70/6xFLhG1EqkUF2Ps4mqZsIxzAWt1nFrvntpUKZec96aaKq977bM0PFWcLGNccfSEuZm2XbidjHbGvNx/d9d/nlKnMDyVeIy+OGqXB7lVowyt/DAYq0xbe/9zHXNTGR9isY2Ls/e2tDLLyWArBQ0hsQrASzYUIPq8XIV/Cqqv171sJqvKPhOLuu1brjpjgigIXPrlrUQ2Ef16DmMqciSNuRViFfrV4P7gSGXsiiClxWOH0TK5T5BUpHEzk6aGPO747tMRRsWxENi+Vk90xpjnQkw8JBa+tmGP1RxVnHBNfL1f34LfabVbF/pcFCWb3rHTEtkd0IzhWl4Vg8lGuuSmBFGCKtPVMBW4uq7FQDqjlFJV8RBRCmRiYjsEpiQlWDiWz38oek/sRC79mh0BmY0b83IUZUpX6Tbtv8beXLXL7xk6k68scDc8ou =j7+z -----END PGP PUBLIC KEY BLOCK-----