Security at Eventimio

At Eventimio, security is foundational to everything we build. Our platform handles sensitive information — guest lists, event details, photos, and biometric data — and we treat every piece of it with the highest level of care. This page provides an overview of how we protect your data.

Infrastructure

Our infrastructure is hosted entirely within the European Union, ensuring your data stays in the EU. All services communicate over private internal networks, never exposed to the public internet.

• EU data residency: All servers, databases, and data processing within the EU
• DDoS protection: Enterprise-grade protection and threat filtering at the edge
• Private networking: Internal services are isolated from public access
• Isolated environments: Production, staging, and development are fully separated

Authentication

We use passwordless authentication — there are no passwords to steal, leak, or brute-force. When you sign in, we send a secure, time-limited link to your email.

• No passwords: Passwordless authentication eliminates credential-based attacks entirely
• Session management: Sessions expire automatically with daily refresh for active users
• Rate limiting: Authentication endpoints are rate-limited to prevent brute-force abuse
• Secure cookies: Session cookies use Secure, HttpOnly, and SameSite attributes

Access Control

Eventimio implements role-based access control (RBAC) with multiple permission levels, ensuring users only access what they need.

• Role-based permissions: Granular roles from read-only to full admin, each with specific permissions
• Organization isolation: Your data is completely isolated from other organizations — no cross-access is possible
• Audit logging: All permission changes and access events are logged for accountability

Data Protection

Your data is encrypted both in transit and at rest, with additional protections for sensitive categories like biometric data.

• Encryption in transit: All connections use TLS 1.2+ (HTTPS enforced)
• Encryption at rest: Photos and database storage are encrypted using industry-standard encryption
• Biometric data: Face embeddings require explicit consent, are automatically deleted after 90 days, and are never shared with third parties
• Backup encryption: All backups are encrypted and stored in the EU

Application Security

Security is integrated into our development lifecycle with automated scanning at every stage.

• Secrets detection: Automated scanning blocks any credentials from entering the codebase
• Automated security scanning: Every code change is scanned for vulnerabilities, dependency issues, and OWASP Top 10 risks before deployment
• Input validation: All API inputs are validated and sanitized to prevent injection attacks
• Rate limiting: Multiple layers of rate limiting protect against abuse
• Error sanitization: Error responses never expose internal details

Monitoring

• Comprehensive audit logging: All data access, modifications, and administrative actions are logged
• Health monitoring: Continuous health checks with automated alerting for service issues
• Security monitoring: Unusual access patterns trigger alerts for investigation

Compliance

• GDPR: Fully compliant. Data processed and stored in the EU. Full data subject rights supported (access, erasure, portability)
• BIPA: Compliant with the Illinois Biometric Information Privacy Act
• CCPA/CPRA: Compliant. We do not sell personal information

Responsible Disclosure

We value the work of security researchers and welcome responsible disclosure of vulnerabilities. If you discover a security issue, please report it to us so we can address it promptly.

• Email: [email protected]
• Please include a detailed description of the vulnerability and steps to reproduce
• We will acknowledge your report promptly and work to resolve confirmed issues as quickly as possible
• We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it

For general inquiries about our security practices, please contact [email protected].