Security at Attendir

Data Encryption

Every connection to Attendir is encrypted with TLS 1.2 or higher. We enforce HTTPS across the entire platform — there is no way to access Attendir over an unencrypted connection.

Sensitive data at rest — including OAuth integration tokens and encrypted sessions — is protected with AES-256-CBC, the same encryption standard used by financial institutions. Passwords are hashed with bcrypt at cost factor 12, a one-way algorithm that cannot be reversed even if the database is compromised.

Access Controls

Attendir implements strict access controls at every layer:

• Authentication: Rate-limited login with a maximum of 5 attempts per minute. Session tokens are regenerated on every login to prevent session fixation.
• Authorization: Every resource (events, campaigns, billing) is protected by policy-based authorization. Users can only access their own data.
• CSRF Protection: All state-changing requests require valid CSRF tokens.
• Rate Limiting: All public endpoints are rate-limited to prevent abuse.

Integration Security

When you connect Attendir to event platforms like Eventbrite, Luma, Cvent, or Bizzabo, your integration credentials are encrypted with AES-256 before being stored. We never store credentials in plaintext.

All inbound webhooks are verified using HMAC-SHA256 signatures. Unsigned or incorrectly signed webhook payloads are rejected with a 403 error. This prevents attackers from spoofing integration events.

GDPR & Privacy

Attendir is designed for GDPR compliance from the ground up:

• Data minimization: We collect only the data necessary to power your event sharing campaigns.
• Consent-based collection: Event attendee data is collected only when they actively choose to share an event via LinkedIn.
• Data export: Account holders can request a full export of their personal data in JSON format.
• Account deletion: Users can delete their account at any time, which removes all associated personal data.
• Cookie consent: We display a cookie consent banner and only load analytics after consent is granted.

For full details, see our Privacy Policy.

Monitoring & Incident Response

We maintain continuous monitoring through:

• Error tracking: Sentry monitors all application errors in real time with alerting.
• Audit logging: All authentication events (login, logout, failed attempts) and data changes (create, update, delete) are logged with timestamps, IP addresses, and user agents.
• Dependency scanning: We run automated vulnerability scans on all PHP and JavaScript dependencies.

We maintain a documented incident response plan with defined severity levels, response procedures, and communication protocols.

Infrastructure

Attendir runs on DigitalOcean managed infrastructure with automated backups, firewall rules, and SSL certificate management. Payment processing is handled by Stripe (PCI DSS Level 1 certified) — we never store credit card numbers or payment details on our servers.

Deployments are automated through a CI/CD pipeline with mandatory test suite execution before any code reaches production.

SOC 2 Readiness

Attendir has implemented controls aligned with the SOC 2 Trust Services Criteria and ISO 27001 standards, including:

• Information security policies and access control matrix
• Change management and deployment procedures
• Incident response plan with severity classification
• Risk assessment register with quarterly reviews
• Third-party vendor assessment process
• Disaster recovery plan with defined RTO and RPO
• Data classification and cryptographic controls policies

Frequently Asked Questions