ISO 27001 Certification - Security Information Management System
ISO 27701 Certification - Privacy Information Management System
Privacy and Security
EventBuilder SaaS software and virtual event production and management services, and includes all PII processing activities, business processes, people, technology, and information assets related to the provision of these services.
Risk assessments will be performed at least annually, and in response to major changes, in order to ensure risks are being identified and managed, and that previously identified risks are being addressed in accordance with risk treatment plans.
EventBuilder’s collection and processing of PII falls within the definition of “Data Processor." Customers are considered the “Data Controller” in that they determine the type of PII collected from registrants (Data Subjects), the purpose for collection, and how this data is processed, used, and retained.
Customers determine the information that they request from registrants for their events. The minimum amount of information required by EventBuilder to perform contracted services has been determined as:
Registrant Data Retention Period - Administrators set the length of time Registrant Data will be stored. After the designated time, identifying information will be redacted on Registrant records, but event data such as 'number registered' and 'number attended' will remain.
EventBuilder currently uses BitLocker to encrypt data at rest on workstations and has enabled vendor provided encryption settings where possible for other cloud services like AWS. The database storing customer PII is encrypted.
In Transit: SSL/TLS
At Rest: AES256
Username & Password or API Key and Secret
Portal Login Security - When this option is enabled, Portal account holders will be prompted to change their password at an interval you set here.
Password Management - Admins may also restrict User's reuse of previous passwords. Ex., Administrators can set Users to change their password every 60 days, disallow use of the User's 6 most recent passwords upon changing.
2-Factor Authentication - Add an additional login requirement for Portal access.
Data access is controlled by EventBuilder's Access Control Policy.
The OWASP Top 10 is used as a guide when writing test plans for security and privacy requirements.
Quality Assurance (QA) – This stage of testing must ensure that software components (including those developed via prototyping) perform properly according to specifications and interface with each other. This phase of testing may involve unit, integration, regression, and security and privacy testing and will ensure user, functional, security, and privacy requirements were properly implemented. Security and privacy testing may involve final secure code reviews which will be performed manually using the OWASP Top 10.
Penetration tests are performed periodically to evaluate the security of cloud networks and environments. Such testing includes external penetration tests as well as web application security assessments.