Eventsforce Virtual Content Delivery (VCD) Data Security Policy

Introduction

This document sets out our security procedures in relation to your data when you use our online virtual content delivery platform, namely ‘VCD’. 

The VCD is a web-based application (SaaS), that allows event attendees to access event information and admin users configure information that is made available to event attendees.  

This document only covers and is relevant to licenced users of the VCD. The Eventsforce Data Security Policy applicable to the Eventsforce software application and services can be accessed separately here https://www.eventsforce.com/data-security-policy/

Authorisation

The VCD platform is a multi-tenant SaaS system, built from the ground up to restrict data access based on each event. Information for a particular event is only accessible to an attendee registered for that event. 

The VCD uses the Eventsforce API to exchange data with Eventsforce and publish event information. The VCD will require access to the “events”, “attendees”, “abstracts” and “sessions” resources in the Eventsforce API. By providing an API key for your event, you are consenting to all data related to the event to be transferred to the VCD platform.

The Eventsforce VCD can be restricted to get data from single or multiple events using Event Access Groups for the API user in Eventsforce. 

All servers are behind a virtual private network that can only be accessed from the web server gateway. In addition, each server has its own firewall. 

Access to the VCD platform is via a Json Web Token (jwt) the user receives via an invitation email.  The token is stored in the browser to allow for login. Jwt token links expire after 30 days of being issued.

Encryption

Clients communicate with the VCD platform over HTTPS with HTTP Strict Transport Security (HSTS) enabled. Passwords are stored hashed in the database and email addresses are encrypted. All data is encrypted at rest. 

Data Protection

Please refer to the relevant Eventsforce Licence Terms and our Privacy and Security Policy, available online at, or at or such other website addresses as may be notified by us from time to time.

Physical Security

The VCD provides a hosted and managed service for customers. Infrastructure and data is hosted in secure Amazon AWS data centers in the United States of America (US West – Oregon). 

AWS in the USA is compliant with recognised standards for ISO27001, GDPR and SOC, amongst others. Please see https://www.atlas.aws/ for details. 

Servers are regularly updated with the latest security patches.  Critical updates will be applied as soon as possible depending on the severity. Amazon CloudWatch is used for monitoring the services.

PCI-DSS Compliance

The VCD does not process payments or handle payment card data.

Disaster Recovery

System health is constantly monitored.  This includes monitoring network speeds, security alerts and performance. External systems frequently ping our servers to check for response times and uptime

Data is backed up continually throughout each day, and a full database backup is done each evening.  Backups are stored on Amazon S3, and will periodically be used to update staging environments.  Backups are kept for 7 days.

Incident Management

Any of our employees or subcontractors that discovers or suspects that a security incident has happened must report the incident to both their manager and to a company director immediately. 

Security incidents may include:

  • Unauthorised access to any Eventsforce system
  • Disclosure of protected data, including paper disclosure, e-mail release or inadvertent posting of data on a web site
  • Viruses, worms and trojan horses
  • Denial-of-service or any other attack on any Eventsforce system

The director will coordinate the response to the incident, involving other employees as required. The response may include:

  • An immediate resolution to the incident (e.g. temporarily disabling an account or server)
  • Informing affected customers if the incident might result in a breach notification
  • Informing the police if a criminal offence is suspected
  • Product or process changes to avoid future incidents of this kind

Sub-Processors

Amazon AWS
Simpleview