Eventlink^® Security FAQs

At Eventlink^®, the safety and privacy of your data is our top priority. From payment processing to personal information, we’ve built our platform with security in mind at every step. Eventlink^® uses the industry-standard practice of defense in depth, utilizing varied and layered defenses to maintain a robust security posture. Below are answers to common questions about how we keep your data safe and your experience secure.

Shared Responsibility Model

Security involves everyone. We share responsibility with Azure, our cloud provider, for maintaining secure servers, networks, and applications. Azure delegates some aspects, like user access management and firewall configuration, to us. In a similar way, Eventlink^® delegates some responsibility to users and organizations: maintaining secret account credentials and setting proper user access permissions.

Platform Security

Where is Eventlink^® hosted?
Eventlink^® leverages Microsoft Azure as our cloud provider. Azure is responsible for the physical and network security for their servers and they comply with security standards such as ISO 27001 and NIST SP 800-53. You can read more about Azure’s security here.

All data is stored and processed in the United States.

How are servers protected?
We use a multi-layered approach for securing servers:

1. Firewalls are configured to only allow public access to public services, such as the website. Databases are only accessible through a private network.
2. Internal services, like databases, use strong authentication so that only permitted applications within the internal network can access them.
3. Eventlink^® team access to the infrastructure is restricted to only users with an operational need. All team members with this access are required to use 2-factor authentication.

How is data protected on the platform?

Our database uses a feature called Transparent Data Encryption which keeps all data encrypted at rest.

Data is encrypted in transit using TLS between servers and users.

How often is the Eventlink^® platform updated?
Azure is responsible for updating the operating system and host environment for the vast majority of our services. Virtual machines are configured to have updates applied automatically.

The Eventlink^® application is updated roughly every 2 weeks. We patch earlier if needed to remediate 3rd party vulnerability disclosures.

What cybersecurity frameworks do you use?

We use NIST CSF 2.0 as a guide for our cybersecurity program.

Payment Processing

How are payments processed through Eventlink^®?

ACH payments are processed through Dwolla.

Credit card payments are processed through Stripe.

Is Eventlink^® PCI-compliant?
Yes! We work with Stripe to certify PCI compliance annually. You can read more about Stripe’s security and PCI Service Provider Level 1 certification here.

Does Eventlink^® store credit card or banking information?
Eventlink^® does not store credit card or banking information. Stripe processes credit card information and depositing account information. Dwolla stores bank account information for Eventlink^® Pay.

Data Privacy & Access Control

Do you comply with data privacy regulations?
FERPA - We comply with FERPA requirements. Eventlink^® only contains student data if the school specifically requests it within Eventlink^® Registrations or when using Eventlink^® Athletes. Both features limit data access to specific authorized school staff users. Eventlink^® Athletes in combination with Eventlink^® Sites may expose student directory information for the purpose of displaying team rosters and schools have the ability to opt-out specific athletes from that display.

COPPA - We comply with COPPA requirements. Please see our Terms of Service and Privacy Policy for details on how children’s data is handled.

Where is data stored?
Eventlink^® stores and processes data in the United States.

Can users request data deletion?
Users can request data deletion but not all requests can be fulfilled due to recordkeeping requirements.

Do you sell or transfer data to 3rd parties?
Eventlink^® does not sell data collected. When data needs to be processed by 3rd parties we have contractual agreements to restrict sharing and sale. Users submitting data to 3rd parties directly are agreeing to the 3rd party’s terms of service and privacy policy, which may differ from ours. See our Privacy Policy for more information.

Do you use personal information for ticket advertisements?
Eventlink^® does not disclose information about purchasers to ticket advertisers and does not target ticket advertisements to individuals based on anything other than the organization they are purchasing tickets from.

Availability

How does Eventlink^® ensure availability?
We deeply understand how important it is for Eventlink^® services to be accessible when you need it. Our primary goal is to maintain 100% uptime. We have invested heavily in a redundant architecture that can adapt automatically to increased load. That architecture allows platform updates to be performed with no downtime. Application updates are carefully planned to minimize the chance of disruption.

We have robust monitoring and alerting which gives us a chance to respond to emerging issues before they can cause downtime. An Eventlink^® engineer is on-call 24/7/365 to respond to these alerts.

How do you handle unforeseen issues?
As much as we try to avoid problems, there is a lot of complexity in modern computing systems that is outside of our direct control! We have procedures in place for recovering from outages caused by underlying platform issues, for example a regional outage in Azure. Backups are taken on a regular schedule and stored in multiple regions.

Personnel

What training does your staff receive?
All Eventlink^® team members receive annual compliance training, quarterly security training, and periodic phishing assessments.

The Eventlink^® development team receives application security training annually.

Reporting a Security Concern

What should I do if I suspect a security issue?
Email any security questions or concerns to security@eventlink.com

What is your response time for security concerns?
Reports should be read within 8 hours and depending on severity a response may take up to 48 hours.