pretix

Security at pretix

Encryption

Our servers only accept encrypted connections. Our deployed encryption technology is up-to-date and rated with A+ by SSL Labs. All communication between servers is encrypted as well using industry standards like SSH or IPsec.

Privacy by default

pretix was designed with privacy in mind. We only collect the data we absolutely need. We do not sell or share private information with third parties and we are transparent about the data we have.

Read more about our privacy efforts

Payment data

We do not process credit card data ourselves. All credit card data is directly received by our supported payment providers like Stripe or Mollie and processed and stored in PCI-compliant systems.

When working with other payment methods, your data is always encrypted in transit between our servers and only stored when necessary.

Authentication

We store passwords using a scheme based on many iterations of PBKDF2. Passwords and keys are filtered from our logs. Login information is always sent over SSL. We support two-factor authentification using both TOTP and U2F as additional security measures to keep your account safe. With our teams feature, you can control in detail who can see what data about your event.

Automated Monitoring and Backups

Our servers are automatically monitored for correct software behaviour, correctly working firewalls, up-to-date software and regular performance.

Our setup is fully redundant and can automatically recover from the failure of any single server. As part of our disaster recovery plan, we create automated backups of all data regularly. Backups are encrypted and stored in a separate data center. They are automatically deleted after three months.

Open Source

The major part of our codebase is open source and available on GitHub. This makes it easier for you to check that we keep our promises. If you feel unsure about using a hosted service, our Community and Enterprise editions allow running pretix on your own servers. All software releases are tagged, and all tags are currently signed by Raphael Michel, with the GPG key fingerprint 6654 0831 7895 7043 9A44 C80D 4F70 B444 E1C6 8BA1.

Application security

When developing pretix, we follow current best practices of the software industry. External contributions as well as all plugins installed on our Hosting infrastructure are extensively reviewed from a security perspective through our team.

We protect ourselves against many of the most common security vulnerabilities by building on top of a well-known and security-aware web framework for database access, authentification, and session handling.

We fully leverage modern browser features such as Content Security Policies to protect our users from client-side attacks.

Research and Disclosure

If you discover a vulnerability with our software or server systems, please report it to us in private. Do not to attempt to harm our users, customer's data or our system's availability when looking for vulneratbilities.

Please contact us at security@pretix.eu with full details and steps to reproduce and allow reasonable time for us to resolve the issue before publishing your findings. If you wish to encrypt your email, you can find our GPG key below.

We're not large enough to run a formal bug bounty program, but if you find a serious vulnerability in our service, we will find a way to show our gratitude.

List of security incidents and their reporters

2019

2018

2017

Our GPG key

For encrypted communication, you can use the following key.

Key ID: E56CFD05
Key Type: RSA
Key Size: 4096
Fingerprint: 5140 D23E 8C89 206D 2C7C  8CCD B196 CD22 E56C FD05
Email: security@pretix.eu

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFy5lGkBEADP/ddMfE6/VWd7ys3b+UxusWxCTfj2bm9Xq7l/GOb08e+MlTSM
KHGa8ZA+Tlq59LCtquKgUdHfs61DRaxocRd+fDdSAq29t+uifnbqr1zl067+9oAM
J7OWC8Qep2of/TleBsTD2eAkbaaSj0ucNAGLOHCWvPdSrJMXrsIONv4JnJg2is3Y
uTTvLT+d+uNrHTeO/MIN3/KkyPDdaeJAmFpsY/rC8k7J9Qfie9svZehVsfruiAOg
OZYutWRCypFgCS2iz6a6U+8BrX1MJ5WieEjHs9Gj4gjhARtE+l3NztJ2iZHqSimg
SKXe0r4tSg6WSgufOVFG5grwvRdUfaOesXEX7Fa3K4Fz3MGLLWZZoQgAnRz+ii1Z
u2tq582hIJ3BwuIwdWomyHep+VNvgZINeMDFp4nQZDj9ZXV1nsPh7NRVgn3CmtFV
R1CxJdG9nMPHQfSDbztToIfSUYBYaIfqkPl1C1f5EOa7GkIQFqL8tkLkEna3wxFl
4kwT5N970OZetYrGL838MSI15NlLn52G7BU8D9KX1eXCGZCP2LM2uVAzM736ko9/
I53fC00POJhi1TfAQylMkweLhkS0+6aAHVmB4rxk9e/Hmnxm84wx+2m789ZtrcII
I0UmAT7wccm6ZykaZjw1Z1Gh6Ih0T9OfV3VjPbmQpjOI6W1eF4+lbELXXwARAQAB
tCRwcmV0aXggU2VjdXJpdHkgPHNlY3VyaXR5QHByZXRpeC5ldT6JAlQEEwEIAD4W
IQRRQNI+jIkgbSx8jM2xls0i5Wz9BQUCXLmUaQIbAwUJBaOagAULCQgHAgYVCgkI
CwIEFgIDAQIeAQIXgAAKCRCxls0i5Wz9Ba/kEACzyCmHemuuhNLOQMFbIchlR5zy
82xl+mNHFevIEoLXZi5gHzpr/7/LTcoP2+79Ha1vZ2MLaIIkFA/opGfpowc+p+iN
z5m4qt2O2U7Ow34vYc8DV8XwYow1xp1EQk6Vb2iGs01OqhsO2wlca3PelXN7u0K1
PYmCHl9Cse/kHLIPzDGmauJYkXBC7p2TLekvzA2yWOMMS7+MB2WdkVk5IB+vfHsQ
kLV69z9AIUYImtjP9XSaXXSyOPo4p/S9oS881W5OiriFaD26g2Pjqg69TBbFcgLo
BgfeqCVhy4RBfunB7uwwjJUXSRxyAP08B9zYlzT0+VL10YaHLhFVpBuMTOmTNP8M
GCqgdXfs5n1cshpIhwIt/nk4yj9Cjzc9hKdzQAJrato3XVkQ+1K4nw/RavG0YMmp
sXZ3L8HRGEz1qg/OUNBrqSd80jd8ZGznjnYqrVvGb/HjSM259rMKs4WMFzalIsWV
KPt7Y0bIOeNzBrsBhb56/oe+6YNp8cnpLINO3zHN3rI+cAn3w3qq3GlJznbEohyN
i3A/769trUFvWjhmCtrxnWt1OMCZkeLj2aoJSD9/VOUzGeO51wcQmpctDwid8kU0
uS5g6BrtdQwCpwDKupZJ89F+P5/6L4zIsopLc9FJUbKYaHxkltBbC+p9CN8UwBNG
WAAz4hZESFGRosv9D4kCMwQTAQgAHRYhBGZUCDF4lXBDmkTIDU9wtEThxouhBQJc
uZVDAAoJEE9wtEThxouhcVIP/3YftFCECIAvd4iTeZ/im12V2iBBdSatZwJoeQFJ
NZxpKQxOuGahQtRCIn6CyyeDaOYEid2hYrR2yyr8rKSyWwTPUeSSILA5Y0ZCblKb
IZN8zDUxM3AebUTO7RpyMvE+jFc+clkLuDGzXNJWB2cgCu8yUOwRxfnYR3jXU46Q
30mn/3QsgAQZ+JpTvr4/w7tR6AyM15FzfxrONTGwS8uFZ/gm+asD/2jj6+RNDCKX
ZGFB33rKVDHhTcxXLBotfXGpA5aFs+r1VdkMohtA0MhULiumnPf1IMeau+W3xzY0
4uOSE+rc6IR/4ofOi7DsW/kFc5dem6xtk0+M6vM2LfgMQg1eeGxtiPk9M0U9D/Q4
/4nNEb66Ta6+q0Vc2UM+VdYfpRsi151bDTONnQsNJsYkwkz+5FewU9OYjuQGOerC
3AhdlLG2nwknaw+LX3BF73GGgvzrS714OYzsKklrNOPDHuu+WeYZOcsMvtSXo3So
+9EwIHbD8WjrCRZt/3dS7HIMCDxL59oXBZN0McPAFZtwdZjqY7KFf9PBI64JrVMw
KqYGwkPG4AzICe9b760ZzQkqa2qk9MynqH9vyneeMzbSMOHlxYSGiegZn2Qrs6U0
iN1DVNgPkxsRiXvT42mHDeI9CnOQmwDN4PEQHc4jhvVINMOlRs5aS8RhrVMx3hwK
wZmDiQIzBBMBCAAdFiEETSbmILlKq3qMBjl3E7HYhAh+YM4FAly5lWQACgkQE7HY
hAh+YM4npBAAkuvf0FaxyNbd+1mA2npjED4WeRWVsvSEcjGqg2j0Qw4v6LZFDILp
01O5764t4kqRK87KVdR1ExXMiO7ZfOfn+vhDNajqtMc0irFMuMp3wrpv0nRFwTWl
bB3Cu3ZH4Mzk+WBRT3LHwirEEK9/cdQtrR1VFE7ZMAhS3ET+S/LFkNoY3pjjA3BH
giCeZ/WmIUMoxnO6LK0j2QO0iPW80vxgU6HiZUhPv5jcs+P8IM4NtymuW5iJCcRM
r2DW+nDIy2bApRL8YILxLAsejhzUBzsvOlv3wIugttWRD801BBK33php67ahuTCf
gVAaUS52T/f6rGhRtCu1c9ComXWklZHtdu6GNkJF+YU1OnAjtN+BxlDxALT5EwPR
4Mp5Jrm3Xsvu+DBzHLYscF41AQSgZcrhndkDHE7mw0MYxPD6KnhIs+WA/zQ5MVqB
miF/UKAF6/wCF/w87NbmWV+ZqIXvcWzrybT6z009ZlJQBM3qu8BRKyE4Qw3tG0z4
y73S8kWxViEBaMuaxHUN69clG6FQALil0KXw+IBIW8IFv41kbHsmpyaaxOn9R64q
+Rt5hkBDXH5wJuIfIvkgKXTo5PF4cKCdruiVhKsiEyvd1WW7mW/PWkMdBKzrLGiG
myq6kaBeEm7S1UMpVMhKO1YGyvP5T1UmaRfLkfJ909TmWOdQi5CJaZ+5Ag0EXLmU
aQEQANZVWk3mR4RA8VPe4ihSaV+cKz+VTDhCvQr2x3J1ELw27tLgfmFN7IlfwBA3
dNz7A0zD/HuC0i/RoW3RwuMPRwOZdA2I73ZS69wlX9qEgWKznDEZm/lfZ1/nW/Ic
3umcJgyaBynBNMiMq0tgZ5CSZ78aJ2dPqPEiyQ6XD8EXcK1DL8jId8odfyIW+wIi
tBkGNvFb9paJeacogm4Kt5+B7G1tVgRi6aoNM6hFxcyTVO+ryBUJzsUjy956GoL3
o7dGPgQZWjrH11RxxOf7lV7KgkzqhjjbPWPYGP70izu/lgJD0UBcKiEaudWl0JG/
Kke6RJBqFCEehdqQcvpAhnACzWl22WT4bSpo0Z9iOQDeA8NDY8Rg7Sg7gQKObIlY
2WtmyExmybJb3MUohknPLt6CkY+6YfI0BoFRsuKd6ZrksBN0ZjNAQ4KSl5HKXLwc
dpS0WYq2dGofbhn+k2bHRiUxNpdwpANPND2snTxBA63LyDGR9OOBbKPMlTLn9kL1
20/ltsCSF+wcDVt8mpWkMK3d+ZNsn+99lOGiTLIeRB83ZT73KRsUBxYnuukzytxX
LH6MOSy4JqMgUyOxgFQiNFvmakkRACqDKyps7FXdJX5GEbyt2IpxoJAGmeBox1o3
G2RgH+cYlvGtdXoM47Lkvu1HQHUXbFiXqkQ8jigt8QkDd2C/ABEBAAGJAjwEGAEI
ACYWIQRRQNI+jIkgbSx8jM2xls0i5Wz9BQUCXLmUaQIbDAUJBaOagAAKCRCxls0i
5Wz9BbccD/9TR2TUQaTNELhq1R/fNroNyaGI3/BgAwweQLkGZWDB7+COx03xnRrr
PDEvqkUGgpVo2SCXCGJrrqMmIkYyL2pwSgY8aqygrJ3FGGnvEyizR1VUJz9dpgZl
ebl/7gjE/TH96Unelk3YUdGyQyO6GulHNn7vSJKXvPH9kjZB9SJXH6ml2906CkZo
b2OP42OKdK/K0Js8SAbJ9UHhFGuEUnJKR10fS+8+4ytyGb53VFpyh883j/n7rLzG
QWnTVzvcnFaE3f3floi7cCvx7TDPY6m06zjQWtSRuHFVUqkWnSCZBO/GRhF0R31Q
ClK3bGlT/Ew3Mk4wlvXbQCXf2Rghq7YcLwAmgIO36Y7cgJ0tFwKBZpZTC9cMr0bS
gwT5eFjon6nJBE2KgACLo9bamP/LAmYENm5Wsfg2QULSxP8EE1zOL+k1NFKDjTvb
tRmXKx3Po/tFjEEPhLlZAXuYavLSiDOE5trqE7xI+zCP8Aq3tUnciTVdoL36raMC
hVJTsfAUQBWM82q4qp9OYJGfDbZ+QglWeTicKUVIEeUra5Ds42YQl28pwLfljBAt
gLx2mbyi907lddkOktTlAZ7re6pDKeqnd3EZjuL+qGTLyTVNJhH3nES+gU6vTAet
Nwr7GRJ5GVeFGI3Q8fbcIcq2wNvDCrnQFBDaiXLWIgPYTXvZqLiMNg==
=wg73
-----END PGP PUBLIC KEY BLOCK-----