Security & Data Protection
Your trade show data is business-critical. We protect it with industry-standard encryption, strict tenant isolation, and EU-hosted infrastructure.
European Infrastructure
All data stored and processed within the European Union.
Hosted on Hetzner
German cloud provider with ISO/IEC 27001 certified data centers in Nuremberg, Falkenstein, and Helsinki.
Hetzner Certifications
ISO/IEC 27001:2022
Information security management, certified by SOCOTEC Certification
BSI C5 Type 2
Cloud Computing Compliance Controls Catalogue, verified by German Federal Office
EU Data Jurisdiction
All data processing within EU borders. No third-country data transfers.
Technical Security Controls
Multiple layers of protection from network to application.
Encryption in Transit
All connections secured with TLS 1.3 via automatic Let's Encrypt certificates. HTTP requests are upgraded to HTTPS.
Authentication
JWT access tokens with automatic refresh token rotation. Passwords hashed with bcrypt (10 salt rounds). Password reset tokens are single-use and expire in 24 hours.
Role-Based Access
Three-tier access control (staff, coordinator, superuser). Every API endpoint enforces role requirements. Staff can only access events they are assigned to.
Tenant Isolation
Strict company-level data separation. Every database query is scoped to the authenticated tenant. No cross-company data leakage is possible.
Input Validation
All API inputs validated with Zod schemas before processing. Prisma ORM ensures parameterized queries — zero risk of SQL injection.
Mobile Security
Authentication tokens stored in the device keychain (iOS) or encrypted SharedPreferences (Android) — never in plain storage.
Data Protection
How we handle and safeguard your information.
Password Security
Passwords are hashed with bcrypt before storage. We never store or transmit plaintext passwords. Password reset tokens are cryptographically random and single-use.
Token Management
Refresh tokens are SHA-256 hashed in the database. Token rotation ensures compromised tokens are immediately invalidated. Logout revokes all active sessions.
API Security
CORS whitelist restricts API access to authorized domains only. File uploads are size-limited. Error messages are generic to prevent information leakage.
Audit Logging
Authentication events, data modifications, and administrative actions are logged with timestamps, user context, and IP addresses.
Infrastructure & Deployment
Production-grade containerized architecture.
Docker Containers
All services run in isolated Docker containers with health checks and automatic restarts.
PostgreSQL 16
Enterprise-grade database with persistent volumes. Not exposed to the public internet — accessible only from application containers.
Traefik Reverse Proxy
Automatic TLS certificate management, health-check-gated traffic routing, and zero-downtime deployments.
Automated CI/CD
All code changes run through automated tests before deployment. Database migrations are applied atomically before traffic switchover.
Our Commitment
Security is an ongoing process. We continuously review and strengthen our security posture as the platform grows. If you have security questions or want to report a vulnerability, contact us.