In our company, we have implemented an information security management system (ISMS) according to ISO/IEC 27001, which is validated through external audits on a regular basis.
pretix was designed with privacy in mind. We only collect the data we absolutely need. We do not sell or share private information with third parties and we are transparent about the data we have.
We do not process credit card data ourselves. All credit card data is directly received by our supported payment providers like Stripe or Mollie and processed and stored in PCI-compliant systems.
When working with other payment methods, your data is always encrypted in transit between our servers and only stored when necessary.
Our servers only accept encrypted connections. Our deployed encryption technology is up-to-date and rated with A+ by SSL Labs. All communication between servers is encrypted as well using industry standards like SSH or IPsec.
We store passwords using a scheme based on many iterations of PBKDF2. Passwords and keys are filtered from our logs. Login information is always sent over SSL. We support two-factor authentification using both TOTP and U2F as additional security measures to keep your account safe. With our teams feature, you can control in detail who can see what data about your event.
The major part of our codebase is open source and available on GitHub. This makes it easier for you to check that we keep our promises. If you feel unsure about using a hosted service, our Community and Enterprise editions allow running pretix on your own servers.
Our servers are automatically monitored for correct software behaviour, correctly working firewalls, up-to-date software and regular performance.
Our setup is fully redundant and can automatically recover from the failure of any single server. As part of our disaster recovery plan, we create automated backups of all data regularly. Backups are encrypted and stored in a separate data center. They are automatically deleted after three months.
When developing pretix, we follow current best practices of the software industry. External contributions as well as all plugins installed on our Hosting infrastructure are extensively reviewed from a security perspective through our team.
We protect ourselves against many of the most common security vulnerabilities by building on top of a well-known and security-aware web framework for database access, authentification, and session handling.
We fully leverage modern browser features such as Content Security Policies to protect our users from client-side attacks.
If you discover a vulnerability with our software or server systems, please report it to us in private. Do not to attempt to harm our users, customer's data or our system's availability when looking for vulneratbilities.
Please contact us at security@pretix.eu with full details and steps to reproduce and allow reasonable time for us to resolve the issue before publishing your findings. If you wish to encrypt your email, you can find our GPG key below.
We're not large enough to run a formal bug bounty program, but if you find a serious vulnerability in our service, we will find a way to show our gratitude.
For encrypted communication, you can use the following key.