Call us +44 20 7125 0530

Data safety and compliance

If your name’s not on the list, you’re not getting in.

Keep your information safe with the strictest security measures on the market. Determine who can access what with customisable permissions.

Bouncer says no

Enterprise-grade security. For everyone.

Data in transit protection

AttendZen utilises an internal API which communicates with the browser-based client platform, as well as individual event websites. Communication between the platform and API is handled over TLS 1.2 or above, with HSTS. We currently achieve an A+ rating on the Qualsys SSL report.

The platform itself is also accessed exclusively over TLS 1.2 or above, as are event websites. Communication between event websites — in particular, the registration system — and the API is also carried out in the same way. Where the system uses external APIs, these are also conducted exclusively over TLS.

We work hard to maintain best practices for encryption and disable support for older encryption standards that are no longer considered strong. This is one reason that we only support modern browsers.

Asset protection and resilience

Service data is stored, processed and managed solely within:

  • Linode’s London data centre
  • Amazon Web Services’ London and Ireland availability zones

All personally identifiable information (PII) in our database is encrypted at rest using the AES algorithm. The encryption key is held on our application server, separate from our database server.

Database records, archives and object storage are all indexed with the account holder ID. On request, or on account closure, we hard delete all assets belonging to that account holder.

Physical security

Each of the data centres we use are staffed 24/7/365 with security guards and technicians. Access to the data centre floor is restricted to data centre employees, all of whom are identified using biometrics and state issued IDs before entering the facility.

HVAC and power have redundant systems, while networks within the data centres have redundant routers, switches, and service providers. Multiple Internet carriers using independent fibre connections are used to serve the data centre floor.

Separation between users

AttendZen’s application and database servers are on Linode virtual servers. Linode’s current virtualisation stack is built on KVM.

Within the platform, all data is tagged with the account holder ID, event ID and, where applicable, the login ID of the platform user who last edited that data. These IDs are verified for each request as a fundamental part of the API’s authorisation layer.

Operational security

AttendZen’s application and database servers use Ubuntu LTS with automated security updates enabled. They are provisioned behind a Linode firewall which prevents any access other than over HTTP, HTTPS and SSH. The production application and database servers share a private network for internal communication. SSH access to either server is through a public key, and password authentication is disabled. System logs are monitored daily.

The AttendZen internal API uses simple tokens backed by the database for authentication; long-lived JWT or similar systems are not used, meaning we are able instantly to revoke authentication for a user, an account, or all users, as appropriate.

DDoS mitigation

AttendZen has architected a multi-layer approach to DDoS mitigation. We utilise core technology from Cloudflare to provide network edge defences.

Incident response

In the event of a breach of an AttendZen information system, we have a detailed Incident Response plan in place. Employees are trained on security incident response processes, including communication channels and escalation paths.

Logical access

Access to the AttendZen production network is restricted on an explicit need-to-know basis, utilises least privilege, is frequently audited and monitored, and is controlled by our Technical Director. Employees accessing the production network are required to use multiple factors of authentication.

Secure development

All development is carried out in-house. AttendZen’s product source code is not made available in public repositories.

AttendZen utilises a number of open source technologies, such as Apache, nginx and MySQL, which receive automated security updates.

Our service is built with the OWASP Top Ten threats in mind, and we employ security controls to limit and mitigate exposure to security risks, including SQL injection, Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

We regularly review and test our code base to identify and triage security vulnerabilities in code.

Testing and staging environments are separated from the production environment. No client data is used in our development or test environments.

Supply chain security

AttendZen minimises risks associated with third-party vendors by performing security reviews on all vendors with any level of access to our systems or service data.

We currently use the following trusted third-party providers to deliver aspects of our service:

  • Amazon Web Services, for object storage, serverless functions and email delivery
  • Linode, for server infrastructure
  • Netlify, to serve client JavaScript content
  • KeyCDN, as a content delivery network
  • Cloudflare, for DDoS protection and TLS certificate provision
  • Twilio, for realtime communications and peer-to-peer video
  • Mux, for video processing and delivery
  • Coresender, for email delivery
  • Postmark, for email delivery
  • Stripe, for payment services provision
  • Google Cloud APIs for mapping tools and image processing

Secure user management

Platform users are authorised only to see data from their account and may have additional privilege restrictions placed on their access to the account by their account administrator.

Enterprise accounts may define precise roles for access, specifying access to platform functions for individual events.

Access to our online support portal is authenticated against a user’s platform login. Our email and telephone support personnel do not have access to login to user accounts. On rare occasions, it may be that we can better assist in investigating a problem if we can access some part of the user’s data in readable form. We always ask for permission before taking this action and the process requires authorisation internally.

Identity and authentication

Two factor authentication, using the TOTP protocol, is available to all users of the AttendZen platform. All passwords are securely hashed and salted using the bcrypt algorithm with a high work factor.

Password complexity rules and account lockouts are enforced in all environments to protect against brute force dictionary attacks or other password threats. When a user sets their account password, we proactively check it against a public database of known third party security breaches to help protect against attacks arising from password reuse.

Whether or not your event is using a custom domain, outbound emails from AttendZen are signed using DKIM (Domain Keys Identified Mail).

Audit information for users

AttendZen offers access to audit logs for accounts on our Enterprise plan. These logs include account changes; user changes; actions carried out within the app; imports and exports of data; deletions, and settings.

Backup and availability

Our systems automatically replicate client data across multiple locations in real-time to maximise availability. Data is also constantly backed up to ensure we can restore access to your data and the service in the unlikely event that the data replicas in all locations fail at once. Our monitoring alerts us to any trouble and we have staff on-call at all times to quickly resolve unexpected incidents.

System updates

We update AttendZen continuously and because access to the platform is via the user’s browser, users are assured of always being on the latest version. We monitor security advisories and other security community output closely and work promptly to upgrade the service in response to potential new threats and vulnerabilities as they are discovered.

Concerns or want to contact us?

If you have specific questions about our security stance, including concerns that are urgent or sensitive, please email us at [email protected].

Read the UK National Cyber Security Centre’s guidance on selecting and using cloud-based software services and see how we measure up.