Security & Trust Center
Your data security is our top priority. Learn how we protect your information.
Data Encryption
All data encrypted at rest with AES-256 and in transit with TLS 1.3
Secure Infrastructure
Hosted on AWS with security headers, rate limiting, and audit logging
Privacy by Design
Built with privacy-first principles aligned with GDPR and CCPA requirements
Access Controls
Role-based access control (RBAC) definitions with granular permissions
Incident Response
24/7 monitoring with 72-hour breach notification commitment
Regular Backups
Automated encrypted backups with 30-day retention
Our Security Practices
Data Encryption
We use industry-standard encryption to protect your data at every stage:
- At Rest: AES-256 encryption for all data stored in our databases (DynamoDB) and file storage (S3)
- In Transit: TLS 1.3 encryption for all data transmitted between your device and our servers
- Backups: All backup data is encrypted before storage
Infrastructure Security
ContactSolution is hosted on Amazon Web Services (AWS), a SOC 2 Type II certified cloud provider:
- Data Location: US East (N. Virginia) region with geographic redundancy
- Serverless Architecture: Lambda functions with automatic scaling and isolation
- DDoS Protection: AWS Shield and CloudFront for traffic filtering
- Network Security: Private networks, security groups, and least-privilege access
Access Controls
We implement strict access controls to prevent unauthorized access:
- Role-Based Access: Defined permissions structure based on user roles (Admin, EventCoordinator, Attendee)
- Password Requirements: Minimum 12 characters with complexity requirements
- Session Management: Automatic timeout after 24 hours of inactivity
- Audit Logging: All administrative actions are logged and monitored
API Security
Our APIs are designed with security best practices:
- Rate Limiting: Protection against abuse with 100 requests/minute per user
- Input Validation: All inputs validated and sanitized to prevent injection attacks
- Authentication: JWT tokens with short expiration times (15 minutes)
- CORS Protection: Restricted to authorized domains only
Privacy & Compliance
We are committed to protecting your privacy and meeting regulatory requirements:
- GDPR Practices: Privacy-by-design approach aligned with EU data protection principles
- CCPA Practices: Data handling aligned with California Consumer Privacy Act requirements
- Data Processing Agreements: Available for enterprise customers upon request
- Data Export & Deletion: Self-service tools to export or delete your data anytime
- RoadmapSOC 2 Type I: Security controls being implemented toward future certification
Incident Response
We have comprehensive procedures for handling security incidents:
- 24/7 Monitoring: Continuous security monitoring and alerting
- 72-Hour Notification: GDPR-compliant breach notification within 72 hours
- Incident Response Team: Dedicated team for rapid response and containment
- Post-Incident Review: Thorough analysis and process improvements after incidents
Third-Party Sub-Processors
We work with trusted third-party service providers to deliver our service. All sub-processors are bound by strict data processing agreements:
| Service Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting and infrastructure | United States |
| Stripe | Payment processing | United States |
| Amazon SES | Transactional email delivery | United States |
| Apple | Apple Wallet pass delivery | United States |
| Google Pay pass delivery | United States |
Report a Security Issue
If you discover a security vulnerability, please report it to us immediately.
Security Contacts
We are committed to working with security researchers to verify and address any potential vulnerabilities.