This page outlines the security practices implemented by Conference Badge. For any question, please contact us at security@conferencebadge.com.

Our security.txt can be found here.

Infrastructure

Our service is built on Heroku and Amazon Web Services, which implement strong security measures and are compliant with most certifications. You can read more about the practices of each:

Encryption

AT REST

All data stored in our database and cloud storage is encrypted at rest.

IN TRANSIT

All connections to your website are encrypted using TLS (Transport Layer Security). This also applies to connections between our servers and third parties such as Eventbrite and Universe.

Vulnerability disclosure

We encourage responsible disclosure of vulnerabilities found on our website. To report vulnerabilities, email us at security@conferencebadge.com with a detailed description so we can understand and fix the vulnerability promptly.

We ask you to not publicly disclose vulnerabilities until they are fixed. We offer rewards based on the criticality of each vulnerability.

Exclusions (out-of-scope reports)

The following are excluded from our vulnerability disclosure program. We offer no reward for reports in these categories.

  • Missing DKIM, SPF or DMARC records
  • Missing DNSSEC
  • Missing HTTP security headers, such as Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options
  • Outdated versions of JavaScript libraries such as jQuery
  • Reports affecting the help.conferencebadge.com subdomain

GDPR

Conference Badge is compliant with the GDPR (General Data Protection Regulation). See more information on our GDPR page.

Payment information

Payments made through our service are processed by Stripe which is certified as a PCI Level 1 Service Provider. We do not store payment information in our infrastructure.

Past incidents

October 18, 2019

Read more information on this page.



This document was last updated on October 24, 2019