Eventsforce Mobile App Data Security Policy

Introduction

This document sets out our security procedures in relation to your data when you use our event mobile app, namely ‘Eventsforce Mobile’.

Eventsforce Mobile is a native and web based mobile application, that allows event attendees to access event information and admin users configure information that is made available to event attendees.

This document only covers and is relevant to licenced users of the Eventsforce Mobile. The Eventsforce Data Security Policy applicable to the Eventsforce software application and services can be accessed separately here https://www.eventsforce.com/data-security-policy/

Authorisation

The Eventsforce Mobile platform is a multi-tenant SaaS system, built from the ground up to restrict data access based on each event. Information for a particular event is only accessible to an attendee registered for that event.

Eventsforce Mobile uses the Eventsforce API to exchange data with Eventsforce and publish event information. The Eventsforce Mobile will require access to the “events”, “attendees”, “abstracts” and “sessions” resources in the Eventsforce API.

Eventsforce Mobile can be restricted to get data from single or multiple events using Event Access Groups for the API user in Eventsforce.

All servers are behind a virtual private network that can only be accessed from the web server gateway. In addition, each server has its own firewall.

Encryption

Clients communicate with the Eventsforce Mobile platform over HTTPS with HTTP Strict Transport Security (HSTS) enabled. Passwords are stored hashed in the database and email addresses are encrypted. All data is encrypted at rest.

Data Protection

Please refer to the relevant Eventsforce Licence Terms and our Privacy and Security Policy, available online at, or at or such other website addresses as may be notified by us from time to time.

Physical Security

The Eventsforce Mobile provides a hosted and managed service for customers. Infrastructure and data is hosted in secure Amazon AWS data centers in the United States of America (US West – Oregon).

AWS in the USA is compliant with recognised standards for ISO27001, GDPR and SOC, amongst others. Please see https://www.atlas.aws/ for details.

Servers are regularly updated with the latest security patches.  Critical updates will be applied as soon as possible depending on the severity. Amazon CloudWatch is used for monitoring the services.

PCI-DSS Compliance

Eventsforce Mobile does not process payments or handle payment card data.

Disaster Recovery

System health is constantly monitored.  This includes monitoring network speeds, security alerts and performance. External systems frequently ping our servers to check for response times and uptime

Data is backed up continually throughout each day, and a full database backup is done each evening.  Backups are stored on Amazon S3, and will periodically be used to update staging environments.  Backups are kept for 7 days.

Incident Management

Any of our employees or subcontractors that discovers or suspects that a security incident has happened must report the incident to both their manager and to a company director immediately.

Security incidents may include:

  • Unauthorised access to any Eventsforce system
  • Disclosure of protected data, including paper disclosure, e-mail release or inadvertent posting of data on a web site
  • Viruses, worms and trojan horses
  • Denial-of-service or any other attack on any Eventsforce system

The director will coordinate the response to the incident, involving other employees as required. The response may include:

  • An immediate resolution to the incident (e.g. temporarily disabling an account or server)
  • Informing affected customers if the incident might result in a breach notification
  • Informing the police if a criminal offence is suspected
  • Product or process changes to avoid future incidents of this kind

Sub-Processors

Amazon AWS
Simpleview