EventBuilder SaaS software and virtual event production and management services, and includes all PII processing activities, business processes, people, technology, and information assets related to the provision of these services.

ISO 27001: 2013 - Security Management Controls

ISO 27701: 2019 - Security Techniques for Privacy Information Management

EU-US and Swiss-US Privacy Shield Framework

Risk assessments will be performed at least annually, and in response to major changes, in order to ensure risks are being identified and managed, and that previously identified risks are being addressed in accordance with risk treatment plans.

EventBuilder’s collection and processing of PII falls within the definition of “Data Processor." Customers are considered the “Data Controller” in that they determine the type of PII collected from registrants (Data Subjects), the purpose for collection, and how this data is processed, used, and retained.

Customers determine the information that they request from registrants for their events. The minimum amount of information required by EventBuilder to perform contracted services has been determined as:

First Name
Last Name
Email address

Registrant Data Retention Period - Administrators set the length of time Registrant Data will be stored. After the designated time, identifying information will be redacted on Registrant records, but event data such as 'number registered' and 'number attended' will remain.

EventBuilder currently uses BitLocker to encrypt data at rest on workstations and has enabled vendor provided encryption settings where possible for other cloud services like AWS. The database storing customer PII is encrypted.

Software Users accept Terms of Service upon initial log-in to the software.

Registrants accept Terms of Use when submitting their registration information.

In Transit: SSL/TLS

At Rest: AES256

Username & Password or API Key and Secret

Additional options:

Portal Login Security - When this option is enabled, Portal account holders will be prompted to change their password at an interval you set here.

Password Management - Admins may also restrict User's reuse of previous passwords. Ex., Administrators can set Users to change their password every 60 days, disallow use of the User's 6 most recent passwords upon changing.

2-Factor Authentication - Add an additional login requirement for Portal access.

Data access is controlled by EventBuilder's Access Control Policy.

 

The OWASP Top 10 is used as a guide when writing test plans for security and privacy requirements.

Quality Assurance (QA) – This stage of testing must ensure that software components (including those developed via prototyping) perform properly according to specifications and interface with each other. This phase of testing may involve unit, integration, regression, and security and privacy testing and will ensure user, functional, security, and privacy requirements were properly implemented. Security and privacy testing may involve final secure code reviews which will be performed manually using the OWASP Top 10.

Penetration tests are performed periodically to evaluate the security of cloud networks and environments. Such testing includes external penetration tests as well as web application security assessments.