australian-venue-seating-plans review-page contact-sales-thanks security eventbrite-alternative search favicon

Security Policy

 

Purpose

This page aims to outline the measures that TryBooking takes to safeguard customer and event organiser data.

Customer data is the data entered by ticket buyers or individuals making donations on the platform.

Event organiser data is the data entered by ticket sellers during the process of creating an account or events.

TryBooking places the highest importance on security and data protection.

This page should be read along with the:

  • Event organiser terms and conditions
  • Customer terms and conditions
  • General data protection regulation
  • Privacy policy
  • Data processing addendum

 

Scope of the Policy

This policy applies to all customer and event organiser data in any TryBooking processing environment, on any media during any part of its life cycle.

 

Privacy First and Foremost

TryBooking considers data privacy at the commencement of all projects, products, product development, and services offered.

TryBooking does not:

  • share customer data with anyone except the Event Organiser unless required by law.
  • store customer data on third party products (eg CRM)
  • market to customers
  • sell any data to third parties

Company management are involved in all issues, measures, and designs related to security.

 

Safety Measures at TryBooking

TryBooking has installed numerous technical and organisational measures to ensure an appropriate (data) protection level. These measures include:

 

Employee-related security

Employees' workstations (laptops & desktops) are encrypted using disk encryption, end point protection, anti-virus and auditing tools to ensure compliance with security protocols.

Employees access various web applications only using single-sign-on (SSO) and two-factor authentication (i.e., Microsoft Office365 directory accounts) .

Administrator access to the TryBooking Platform Management interface requires two-factor authentication.

 

Production environment security

Logging into our servers is only possible via VPN which employs certificate-based authentication, username, password, and 2FA.

The administration panel requires two-factor authentication.

All security updates are automatically installed, and the server is always up-to-date.

Strict firewall configuration from the public internet that only allows HTTPS access on load balancers, HSTS preloading, and recent TLS ciphers suite.

Communications to and from the servers and backups are only performed via secure channels (SSL / HTTPS).

All (virtual) servers and services are hosted externally in Amazon Web Services Cloud.

 

Personal Data

All personal data is kept using a retention period. Backup data is stored encrypted. System logs are only stored for (maximum) the same time as personal information. Personal information is not logged in logs.  

 

Hosting & Infrastructure

TryBooking hosts its complete infrastructure at AWS. All our (virtual) servers & services and data storage are located within the Australia. This includes our backup copies stored in Amazon Web Services S3 (AWS), whose designated location is Sydney (Australia).

AWS products comply with GDPR.

For instance, data center parks are protected from fire and natural disasters. Only authorized personnel can access via electronic access control terminals with a transponder key or admission card. Data parks are under 24/7 surveillance and are equipped with diesel power generators for autonomous mode.

 

Data Storage

All data silos are installed and managed in our infrastructure, except for Amazon S3, located in Australia. Public network traffic uses Secure Socket Layer (TLS) encryption. Private network traffic is currently unencrypted; we use HTTPS termination on LB.

 

Data Monitoring

We closely monitor data access and transformation. Audit logs of who accessed data are in place and stored for the same period as personal information.

 

Data in transit & Data at rest

Data-in-transit is defined by two categories: information that flows over the public or untrusted network, such as the internet, and data that flows in the confines of a private network, such as a corporate or enterprise Local Area Network (LAN). At TryBooking, all data that flows through public networks is encrypted using TLS encryption. Our private networks are heavily protected and, thus, not accessible by the public, making it unnecessary to use TLS encryption, however where we can, we utilise TLS encryption on internal communications as well (for instance web application to database communication).

 

Data-at-rest is data that is not actively moving from device to device or network-to-network, such as data stored on a hard drive, laptop, or flash drive, or archived/stored in some other way. Data protection at rest aims to secure inactive data stored on any device or network. While data-at-rest is sometimes considered less vulnerable than data in transit, attackers often find data at rest a more valuable target than data in motion. At TryBooking, all hard disks (or desktops, laptops, and servers) use disk encryption by default.

 

Data access and authentication

Only authorised tech engineers at TryBooking have access to the source code, can work on custom migrations, and solve support cases on demand of the support staff. Different engineers have different access rights depending on their job requirements. All engineers have credentials, and some software parts can only be reached from specific IPs or via VPN.

 

Organisational Measures

 

Security

We have the following organisational measures in place concerning security:

  • Code review is required for all software changes
  • We use continuous delivery development model implementing small updates on a regular basis. The development process includes code review, automated testing, performance testing, security testing, manual testing and change process review and signoff. this minimises the security and risk impact of the updates.
  • Only the employees who must maintain the Database server have access.
  • Audit-logging of all attempts to login into the Database server.
  • Employees cannot physically access the servers.
  • All employees are obliged to maintain confidentiality (see Confidentiality).
  • The backup system enables (disaster) recovery to be carried out within several hours of an incident that requires our Disaster recovery or Business Continuity plan to take effect.

 

Security Audits

We aim to engage a third-party security researcher annually to perform penetration and other tests on the system.

 

Confidentiality

All employees of TryBooking have signed an explicit clause in their employment contract that enforces confidentiality during the employment contract and thereafter - regardless of how and the reasons for which the employment contract has ended - to refrain from making any statement to third parties, in any way, directly or indirectly, or in any form, about data of a confidential nature in connection with the business of TryBooking and/or affiliated companies.

 

The location of the data

All data collected by TryBooking is stored electronically in Australia at the AWS data centre. No outside sources are allowed to connect to the database.