Tripleseat Security Overview
Keeping customer data safe and secure is a huge responsibility and a top priority for Tripleseat. We work hard to protect our customers from the latest threats. We store all our own sensitive information on the same servers our customers do. We don’t want our customer’s information, or our own, compromised.
Access control and organizational security
All our employees and contractors sign confidentiality agreements before gaining access to our code and data. Background checks are performed on our workers. Everybody at Tripleseat is trained and made aware of security concerns and best practices for their systems. Remote access to servers is limited to key employees who need access for their day to day work using SSH keys. We log all access to all accounts by IP address.
Vulnerability and Penetration testing
We run weekly Nessus penetration tests against our servers using Tenable, both an AppScan and a common Port scan are issued. We also currently do an annual penetration test via a 3rd party. Results can be made available upon request.
Our DevOps team is in charge of access/identity management, network connectivity, firewalls and log file management. Responsibilities of this team include:
- Review our Vulnerability Scans weekly
- Review all changes to the code and infrastructure to ensure they follow best practices and security guidelines (such as OWASP)
- Build and operate our infrastructure, including logs, monitoring and authentication
- Review, test and design incident response processes
- Respond to alerts triggered by any security events
- Coordinate external audits and security and privacy certifications
- Monitor and alert on anomalous activity
- Coordinate vulnerability testing with external security researchers
Audits, Security Policies and Standards
We submit a self assessment (SAQ A 3.2) for PCI compliance, which is good for a year each time. A copy of our PCI compliance certificate is available upon request. Both of our payment platform options (Stripe and Bluepay) are fully PCI compliant. We have not completed a SOC audit, but we can provide a copy of the SOC reports for the data centers we use after completing an NDA.
We have several internal and 3rd party systems we use to monitor and mitigate suspicious activity (including vulnerability scanning, failed logins, and a host of other suspicious activity). We also have alerts in place for excessive resource use that escalates to our DevOps team for manual investigation. Our products run on a private cloud network secured with firewalls and carefully monitored.
Data protection and privacy
Our primary data centers are in the United States, in Amazon Web Services (AWS). All data is written to multiple disks instantly, full backups are done every 6 hours with incremental backups done every 15 minutes, and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure. Our software infrastructure is updated regularly with the latest security patches. Any critical and high security issues are patched immediately or within 7 days.
Encryption in transit and at rest
Over public networks we send data using strong encryption. We use SSL certificates issued by Comodo.
Event data, messages, text documents and todos aren’t encrypted at rest — they are active in our database and subject to the same protection and monitoring as the rest of our systems. All passwords are encrypted using BCrypt with a cost factor of 10.
Our state-of-the-art servers, hosted and physically managed by Amazon Web Services, are protected by biometric locks and round-the-clock interior and exterior surveillance monitoring. Only authorized personnel have access to the data center. 24/7/365 onsite staff provides extra protection against unauthorized entry and security breaches.
Tripleseat won’t hand your data over to law enforcement unless a court order says we have to. We flat-out reject requests from local and federal law enforcement when they seek data without a court order. And unless we’re legally prevented from it, we’ll always inform you when we receive such requests.
Tripleseat offers GDPR compliance for our customers’ customers. Inbound customer leads must actively acknowledge and accept that we are storing their information. Anyone can request they be removed from our database at any time.
All your content will be inaccessible immediately upon cancellation.
Incident management and disaster recovery
We practice regular recovery drills. Our backups are tested on a regular basis and are stored off-site for a maximum of 30 days. We have procedures for responding to incidents managed by our dedicated DevOps team. In the event of an incident, we would keep all customers informed as best we can to minimize downtime.
Over our 10 years in operation, Tripleseat has continuously improved and hardened our security standards and will continue to do so. We also know that the technical aspect of security only goes so far. As such, we put a lot of time and effort into our security standards so you can trust us with all of your vital event management data.
Want to know more?
Submit a support request if you have other security questions and we’ll get back to you as quickly as we can.