If your name’s not on the list, you’re not getting in.

AttendZen utilises an internal API which communicates with the browser-based client platform, as well as individual event websites. Communication between the platform and API is handled over TLS 1.2 or above, with HSTS. We currently achieve an A+ rating on the Qualsys SSL report.

The platform itself is also accessed exclusively over TLS 1.2 or above, as are event websites. Communication between event websites – in particular, the registration system — and the API is also carried out in the same way. Where the system uses external APIs, these are also conducted exclusively over TLS.

We work hard to maintain best practices for encryption and disable support for older encryption standards that are no longer considered strong. This is one reason that we only support modern browsers.

Service data is stored, processed and managed solely within Amazon Web Services’ London and Ireland regions.

All personally identifiable information (PII) in our database is encrypted at rest using the AES algorithm.

Database records, archives and object storage are all indexed with the account holder ID. On request, or on account closure, we hard delete all assets belonging to that account holder.

Each of the data centres we use are staffed 24/7/365 with security guards and technicians. Access to the data centre floor is restricted to data centre employees, all of whom are identified using biometrics and state issued IDs before entering the facility.

HVAC and power have redundant systems, while networks within the data centres have redundant routers, switches, and service providers. Multiple Internet carriers using independent fibre connections are used to serve the data centre floor.

AttendZen’s application servers use AWS hardware virtual machines, and our databases use Aurora serverless.

Within the platform, all data is tagged with the account holder ID, event ID and, where applicable, the login ID of the platform user who last edited that data. These IDs are verified for each request as a fundamental part of the API’s authorisation layer.

AttendZen’s application and database servers use Ubuntu LTS with automated security updates enabled. They are provisioned behind a firewall which prevents any public access other than over HTTPS. System logs are monitored.

The AttendZen internal API uses simple tokens backed by the database for authentication; long-lived JWT or similar systems are not used, meaning we are able instantly to revoke authentication for a user, an account, or all users, as appropriate.

AttendZen has architected a multi-layer approach to DDoS mitigation. We utilise core technology from Cloudflare to provide network edge defences.

In the event of a breach of an AttendZen information system, we have a detailed Incident Response plan in place. Employees are trained on security incident response processes, including communication channels and escalation paths.

Access to the AttendZen production network is restricted on an explicit need-to-know basis, utilises least privilege, is frequently audited and monitored, and is controlled by our Technical Director. Employees accessing the production network are required to use multiple factors of authentication.

All development is carried out in-house. AttendZen’s product source code is not made available in public repositories.

AttendZen utilises a number of open source technologies, such as Apache, nginx and MySQL, which receive automated security updates.

Our service is built with the OWASP Top Ten threats in mind, and we employ security controls to limit and mitigate exposure to security risks, including SQL injection, Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

We regularly review and test our code base to identify and triage security vulnerabilities in code.

Testing and staging environments are separated from the production environment. No client data is used in our development or test environments.

AttendZen minimises risks associated with third-party vendors by performing security reviews on all vendors with any level of access to our systems or service data.

We currently use the following trusted third-party providers to deliver aspects of our service:

• Amazon Web Services, for server and database infrastructure, object storage, serverless functions and email delivery
• Cloudflare, for DDoS protection and TLS certificate provision
• Netlify, to serve client JavaScript content
• KeyCDN, as a content delivery network
• Twilio, for realtime communications and peer-to-peer video
• Mux, for video processing and delivery
• Stripe, for payment services provision
• Google Cloud APIs for mapping tools and image processing

Platform users are authorised only to see data from their account and may have additional privilege restrictions placed on their access to the account by their account administrator.

Enterprise accounts may define precise roles for access, specifying access to platform functions for individual events.

Access to our online support portal is authenticated against a user’s platform login. Our email and telephone support personnel do not have access to login to user accounts. On rare occasions, it may be that we can better assist in investigating a problem if we can access some part of the user’s data in readable form. We always ask for permission before taking this action and the process requires authorisation internally.

Two factor authentication, using the TOTP protocol, is available to all users of the AttendZen platform. All passwords are securely hashed and salted using the bcrypt algorithm with a high work factor.

Password complexity rules and account lockouts are enforced in all environments to protect against brute force dictionary attacks or other password threats. When a user sets their account password, we proactively check it against a public database of known third party security breaches to help protect against attacks arising from password reuse.

Whether or not your event is using a custom domain, outbound emails from AttendZen are signed using DKIM (Domain Keys Identified Mail).

AttendZen offers access to audit logs for accounts on our Enterprise plan. These logs include account changes; user changes; actions carried out within the app; imports and exports of data; deletions, and settings.

Our systems automatically replicate client data across multiple locations in real-time to maximise availability. Data is also constantly backed up to ensure we can restore access to your data and the service in the unlikely event that the data replicas in all locations fail at once. Our monitoring alerts us to any trouble and we have staff on-call at all times to quickly resolve unexpected incidents.

We update AttendZen continuously and because access to the platform is via the user’s browser, users are assured of always being on the latest version. We monitor security advisories and other security community output closely and work promptly to upgrade the service in response to potential new threats and vulnerabilities as they are discovered.