Legal, Privacy, Security, and Certifications

Legal Standards: EventBuilder’s services are designed to align with U.S. federal and state consumer privacy laws (e.g., consumer privacy laws applicable to residents of California , Colorado, Connecticut, Nevada, Utah, Virginia, and other U.S. states with laws providing similar protections), Europe’s General Data Protection Regulation (GDPR) and its counterpart regulation in the United Kingdom, and other privacy and security laws that apply to our Customers wherever they are located. For more information, please see our Privacy Notice.

Personal Information Categories: EventBuilder collects the minimum Personal Information necessary to provide the services, specifically the event registrant’s first and last name and an email address. Customers determine any additional information requested and collected from event registrants. Categories of Personal Information collected may include:

• Identifiers
• Internet activity
• Commercial information
• Sensitive Personal Information (if the Customer instructs EventBuilder to process such data)

Data Subject Categories: 

• Individual event attendees associated with Customer who access, download, install, or use EventBuilder services
• Customer's employees
• Other end users granted access to EventBuilder services by the Customer

Privacy Requests: If you have questions about our privacy practices or would like to make a complaint, please complete the Consumer Privacy Request form.

Data Processing: Each Customer determines the frequency, nature, and purpose of Personal Information transfer and processing for their registrants and other end users. Please see the Data Processing Addendum for more information about data processing by EventBuilder.

Processor: EventBuilder collects and processes Personal Information on behalf of Customers as a “processor” or “service provider.” Where Customers use EventBuilder services involving a cross-border transfer of data, EventBuilder is the “data importer.” Learn more about EventBuilder's role as a processor of privacy data.

Controller: Customers are considered the “controller” or “business” in that the Customer determines the type of Personal Information collected, the purpose for collection, and how this data is processed, used, and retained. Where Customer uses EventBuilder services involving a cross-border transfer of data, the Customer is the “data exporter.”

Sub-processors: EventBuilder engages Sub-processors to provide the services. We require our Sub-processors to meet or exceed EventBuilder’s own privacy and security standards. Please see the EventBuilder Sub-processor List for more information about EventBuilder’s current use of Sub-processors.

Registrant Data Retention: Customer Administrators determine the length of time registrant data will be stored. At the conclusion of the designated time, EventBuilder redacts all identifying information from registrant records, but non-identifying event data such as 'number registered' and 'number attended' is retained. For more information, please see our Privacy Notice.

Data Storage: EventBuilder currently uses BitLocker to encrypt data at rest on workstations and has enabled vendor provided encryption settings where possible for other cloud services like Azure. The database storing customer PII is encrypted.

Data Encryption: All data on EventBuilder systems is encrypted in transit using SSL/TLS and at rest using AES256. 

Authentication Methods: Username & Password or API Key and/or Secret. Additional available options include portal login security, password management, and 2-factor authentication.

Access Controls: Data access is controlled by EventBuilder's Access Control Policy.

Vulnerability Tests: EventBuilder uses the OWASP Top 10 as a guide when writing test plans for security and privacy requirements. Penetration tests are performed periodically to evaluate the security of cloud networks and environments. Such testing includes external penetration tests as well as web application security assessments. EventBuilder performs risk assessments at least annually as well as in response to significant changes or events to identify and address risks.