pretix

Security at pretix

Encryption

Our servers only accept encrypted connections. Our deployed encryption technology is up-to-date and rated with A+ by SSL Labs. All communication between servers is encrypted as well using industry standards like SSH or IPsec.

Privacy by default

pretix was designed with privacy in mind. We only collect the data we absolutely need. We do not sell or share private information with third parties and we are transparent about the data we have.

Read more about our privacy efforts

Payment data

We do not process credit card data ourselves. All credit card data is directly received by our supported payment providers like Stripe or Mollie and processed and stored in PCI-compliant systems.

When working with other payment methods, your data is always encrypted in transit between our servers and only stored when necessary.

Authentication

We store passwords using a scheme based on many iterations of PBKDF2. Passwords and keys are filtered from our logs. Login information is always sent over SSL. We support two-factor authentification using both TOTP and U2F as additional security measures to keep your account safe. With our teams feature, you can control in detail who can see what data about your event.

Automated Monitoring and Backups

Our servers are automatically monitored for correct software behaviour, correctly working firewalls, up-to-date software and regular performance.

Our setup is fully redundant and can automatically recover from the failure of any single server. As part of our disaster recovery plan, we create automated backups of all data regularly. Backups are encrypted and stored in a separate data center. They are automatically deleted after three months.

Open Source

The major part of our codebase is open source and available on GitHub. This makes it easier for you to check that we keep our promises. If you feel unsure about using a hosted service, our Community and Enterprise editions allow running pretix on your own servers. All software releases are tagged, and all tags are currently signed by Raphael Michel, with the GPG key fingerprint 6654 0831 7895 7043 9A44 C80D 4F70 B444 E1C6 8BA1.

Application security

When developing pretix, we follow current best practices of the software industry. External contributions as well as all plugins installed on our Hosting infrastructure are extensively reviewed from a security perspective through our team.

We protect ourselves against many of the most common security vulnerabilities by building on top of a well-known and security-aware web framework for database access, authentification, and session handling.

We fully leverage modern browser features such as Content Security Policies to protect our users from client-side attacks.

Research and Disclosure

If you discover a vulnerability with our software or server systems, please report it to us in private. Do not to attempt to harm our users, customer's data or our system's availability when looking for vulneratbilities.

Please contact us at support@pretix.eu with full details and steps to reproduce and allow reasonable time for us to resolve the issue before publishing your findings. If you wish to encrypt your email, you can find our GPG key below.

We're not large enough to run a formal bug bounty program, but if you find a serious vulnerability in our service, we will find a way to show our gratitude.

List of security incidents and their reporters

2018

2017

Our GPG key

For encrypted communication, you can use the following key.

Key ID: 087E60CE
Key Type: RSA
Key Size: 4096
Fingerprint: 4D26 E620 B94A AB7A 8C06 3977 13B1 D884 087E 60CE
Email: support@pretix.eu

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFcZDA8BEACsORnWlA5pGOh7MDY63VrKo2bR6XzuX6IP1QbjCr/YOsMpytBS
gthFyTYtBnZwIrEDpkbYpsozi6QBocdo6uOS7ryDlhC3EjgTloifKFMnngJ2PDJj
pmFaDWxvdkKC3vj+lTqr1cQDomqoTbicdzwtXsQKhI7uKsoWHq8IOs2IYuatV7v1
lKNJmtnLczC3HG20C8OW52jSFhyvmtPZOvkUbGg0WHJ69wq5ML8g9wRdX5Q9nebt
u9XKYVScatzGytyYm8Xi0JDTMciyeja2JM8tgV+OY9Gr+zJsKf+1Q1dVsxWlfUHQ
lHi9pJHy4+8jwhgtVlFSvanwgDUXkGN5OQMBXqroOi1j8INSSB9ITFTuTrpIfZ6A
ANu8ahWIMKUmfUmFOXmkbfb07upB+QPEWU8B8AL/ONoNrVxaVv6/nNqWsRxwrFsk
WzOxk1/+WD5cWkWMbTqP1nIRwtY+KNlG/NsfCeZtkWYD14ZlDsInOHCXcnGIo4Q0
FGJRYJng8gixVwwiyFV229zIxnx3nppLUGnttVU4dFpULbzWEuLvMsyaBaO0YK2x
U8naQ2bSpJZzTb2hGKJE//kqCs1f2Yk+LwVZNWNqQSXyVgpIhjVJnnNTQ86vM4QE
CMY01/V+e4ouF3awBX7o0mEO2lLAz1cw40Iv4jWZOp+HyhCcOsiQKpDTKwARAQAB
tCJwcmV0aXggU3VwcG9ydCA8c3VwcG9ydEBwcmV0aXguZXU+iQI+BBMBAgAoBQJX
GQwPAhsDBQkFo5qABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRATsdiECH5g
zsgND/sFys2GcGlq/bPGJ7ynpVaI4HKVDendSFvsY+cV7yCbxP/4hAfCNdjIS/+P
tqW3xOwcYQbDMggZV0rDEbfhrobKTk+QZ37hOEENzIRY5fjS11KlQYm8THRPCsTW
5A2e8UF4wOSMw9Cic7xQH2ELg/kWs085B85fY1mDhTaFA035R8SlcutnuwaWEO/y
qrvwWIVfxOqoQPYfUaQpK8Cnex8Em8nGmJfyFM9rb1KC14cNv7oR87QQ5KcZSb4e
R0PpT+0aURzVzwli+yiV55Ab0CG8Hho/u70UCVYkzr4/kkJkxjKwKtLm8z62qypo
ujQAir7reVFyPHVe3Bfw1WfS5ZIw6n0s+b5ohIQyelLTCdUw0rcVT6HQthcuJXVX
Pc9LV99HPpMCs0LsGkbfzQVqNdFsBoJaJ8OJfHk18B1VfbL22q9NIEnxpiz5aLMM
fQBeakRfmxnUNHXNuZclsBy6pyfXKceM50WnIpqe/mQwLPfvYKkE5rikYOIWFb25
bMyDfq1p3sfknrmG8uJJPmO13VCXHP1RTZUEtN/JNAdhWpzd2aluaUPzHnTx2HB0
zqcfdEV71Xd9kGT+vHarjO9rUvQN3b6eeCmvUN3je5P4/re3OZ93pCOHXvWe8Tau
zt7WyyOAAprVO1ivOrntrbHbWDKU0cMSJkgX/8Vpkw9ly5oXJYkCHAQTAQgABgUC
VxnkvQAKCRBPcLRE4caLoW7uD/9JdNkTsqekrOSiY9gPS1HBEjvFG/X1/OAPnp60
scLZZ5JUc/3fCQo5EBmQYWm7DsLggiHRJrKIH6R+bUQ4FyzMS6YY2Tdt/otsnEFb
JszF2o6J/aVyehrM/kMM8ptOhnbRlyk50MifNTbZWWSMf0hNVS1JSEZF3DJ282fm
6waXrrLRBAENp7ZEE4PaDSJtHVGEmHytFnBUjhpFHhCqu5OHUQG+HB/wB9iiHIEV
dcg6NaLxFF4Yii8vd3uYpjmdMnQa+i+Pua4jxjO6EC4A29Yn+I+dUGkgZJBKJFEt
j2Yt33jGR0j0mCsy2nHdPLpekHYmSxJZcj2iVmA2qarv7f07HN9f1b2/WZzRnIVC
Xe+n05OdCUraCrpyvLaWz0uR4EUp+46AasrbgnS5ohpm/TvB1lz41FezwKZNe4qm
9TX+DkT7smaBO6/LDVDJlifuGI2PdiO9qGfsmsE2ojgmagGT/ZkYGR0E9kjbauKa
MI0XjfXouX8q/bNL80Ore15fF5xfijW72znM6Eb3Q++980nDbZtxvA+MgZFP0RMe
kyBqQvpoSREzKw81bPv5qjyTHy6CQ69rmQ43WIf9wfbvR3D+GKDjOfNiudDCcSXO
rdc9X9Ek3B6LsSkg3EtVgNzRYuD3CAWHOlnpS2YQkXByUT5QeHUSG7ubZgb1p7kc
eB5ZHrkCDQRXGQwPARAAn6qLAW3uXQwjKmp1TR9rsiBC7GbDfHzePV409ZvhVY8C
tXEi5oLmdcCdlS1zAK/Zwwe7ya6kPGouHsz0V6mPsZ2FZJ29zwv4dNivzv0v9lqT
wLTc2v2EPRjqh9l5ohXe+nULhbz2PfkWLXGyeALbhbZW7vDP/Wyr5He3uzVpbfZl
FDujBHqAPmJtmPF9Fqv2jZ3zHtJBMK5sZOJZLmK+EQ43nb+xegRt60GLHqxRM2A2
pZuEd/XQh8Stoy7vOARIb6iMkQ7g/EhhajjjrJaY3OUFf35XIA1F6hWdVD0szcet
lNJLOseTI5qZr+Q15fm9W0yUQEuIvIrYk4Lf0wU9jaecqYzUIXvBevu6Sam/E0Ie
rlMTqlqe9op5jNAA9SnlxwBBvp/pJK00ch1bFJRszytUGJTrgF8w8Z5j53LuxFZT
81HFCNv2uWZVkwvcLTMax59gdiuytwDc3sP4PeZp6JTG7xkFG6mKAh4nrka2d7/L
tDnc+gLqfZdG/127w2ICR6NWzrnt325h/Nj63Aywo4ruXapxloKYme9zx18ciiQy
QsfQDn32FPYVKyfqWvkCBH2LwNBpT/hlKiyGc6S8TsHJ1ziR76HqVRd17CqHIS6x
H1tWaAjUjhmHZvPlUvurWxJhBdhjFTInnf2Zri2rZuQcIcTxBObamP3Y8OBNL8UA
EQEAAYkCJQQYAQIADwUCVxkMDwIbDAUJBaOagAAKCRATsdiECH5gzixbD/9kIasX
VMwf29nCWslhhhtkJcJGqQ3tHelZ3z7F/EdTxRnmux38gf7bVsDACdR45H4Mhnvx
5R6nhFFfgboRz4gkzA0WBjxxEQSjinm5Ij8xp9uvEmWfEzO8gnTT/E3xEOWfA9iB
1cUd1DkGjvyIhiXhRsMeX8ilYhv+bzj/gRS/6RVVx1DzXfwT+9DflBgCgaNXwA9E
HTYanCeEla8+et5pYUu9OPtaiZCzDu6YGiW8fNpNpqhBZDBYBo/UReLtZ0SgL0v6
NMPFOCBEhU466S8dTOygFXxhBvPOcAppaQfcL4axHRk5pUUZWJDsfeIKYFw7NleQ
38pUolk/50jrMI0TOi4HYPn/CMY18NtKCYqljQpgKw4+CRvbTRmIsCwad/1XmN1X
FTIzP7Mq1fWwzDFhM3Y9pLfVYIjEpQUyXmXx61fPUxVi4ACA9GGY93oltC0RSF8F
UjWYnKbhwWrBgwW95V7n9B+in+62xIMpL1yTFyDuOpJ3+d4pewCg1dBxpYStDULg
4BWOSF3kesNzls6uOxn/N5UWaX9vxpuqixcIQVnNvn5/FZvp5IX+2tzP9BBeyP+W
aDt5v87NP20WQ6zoZ8C9/wTUt9sCo/qnbpp4PQwd29y6wwkWYR3GydNl5KBWd6n0
xovTNuXJN5lYoWGifEzqEzV1hZThPpDI8MJGz7kCDQRXGQwPARAAn6qLAW3uXQwj
Kmp1TR9rsiBC7GbDfHzePV409ZvhVY8CtXEi5oLmdcCdlS1zAK/Zwwe7ya6kPGou
Hsz0V6mPsZ2FZJ29zwv4dNivzv0v9lqTwLTc2v2EPRjqh9l5ohXe+nULhbz2PfkW
LXGyeALbhbZW7vDP/Wyr5He3uzVpbfZlFDujBHqAPmJtmPF9Fqv2jZ3zHtJBMK5s
ZOJZLmK+EQ43nb+xegRt60GLHqxRM2A2pZuEd/XQh8Stoy7vOARIb6iMkQ7g/Ehh
ajjjrJaY3OUFf35XIA1F6hWdVD0szcetlNJLOseTI5qZr+Q15fm9W0yUQEuIvIrY
k4Lf0wU9jaecqYzUIXvBevu6Sam/E0IerlMTqlqe9op5jNAA9SnlxwBBvp/pJK00
ch1bFJRszytUGJTrgF8w8Z5j53LuxFZT81HFCNv2uWZVkwvcLTMax59gdiuytwDc
3sP4PeZp6JTG7xkFG6mKAh4nrka2d7/LtDnc+gLqfZdG/127w2ICR6NWzrnt325h
/Nj63Aywo4ruXapxloKYme9zx18ciiQyQsfQDn32FPYVKyfqWvkCBH2LwNBpT/hl
KiyGc6S8TsHJ1ziR76HqVRd17CqHIS6xH1tWaAjUjhmHZvPlUvurWxJhBdhjFTIn
nf2Zri2rZuQcIcTxBObamP3Y8OBNL8UAEQEAAYkCJQQYAQIADwUCVxkMDwIbDAUJ
BaOagAAKCRATsdiECH5gzixbD/9kIasXVMwf29nCWslhhhtkJcJGqQ3tHelZ3z7F
/EdTxRnmux38gf7bVsDACdR45H4Mhnvx5R6nhFFfgboRz4gkzA0WBjxxEQSjinm5
Ij8xp9uvEmWfEzO8gnTT/E3xEOWfA9iB1cUd1DkGjvyIhiXhRsMeX8ilYhv+bzj/
gRS/6RVVx1DzXfwT+9DflBgCgaNXwA9EHTYanCeEla8+et5pYUu9OPtaiZCzDu6Y
GiW8fNpNpqhBZDBYBo/UReLtZ0SgL0v6NMPFOCBEhU466S8dTOygFXxhBvPOcApp
aQfcL4axHRk5pUUZWJDsfeIKYFw7NleQ38pUolk/50jrMI0TOi4HYPn/CMY18NtK
CYqljQpgKw4+CRvbTRmIsCwad/1XmN1XFTIzP7Mq1fWwzDFhM3Y9pLfVYIjEpQUy
XmXx61fPUxVi4ACA9GGY93oltC0RSF8FUjWYnKbhwWrBgwW95V7n9B+in+62xIMp
L1yTFyDuOpJ3+d4pewCg1dBxpYStDULg4BWOSF3kesNzls6uOxn/N5UWaX9vxpuq
ixcIQVnNvn5/FZvp5IX+2tzP9BBeyP+WaDt5v87NP20WQ6zoZ8C9/wTUt9sCo/qn
bpp4PQwd29y6wwkWYR3GydNl5KBWd6n0xovTNuXJN5lYoWGifEzqEzV1hZThPpDI
8MJGzw==
=Lkl0
-----END PGP PUBLIC KEY BLOCK-----