91��Ƭ�� Security Guide

91��Ƭ�� Security & Safety Guide

PCI Compliant

91��Ƭ�� complies with PCI-DSS 4.0.1 Level 1 as both a Merchant and a Service Provider.

Registered with both and as a PCI-compliant Service Provider.
Regularly audited by a Qualified Security Assessor (Coalfire, Inc.)
Passes internal and external application and network penetration testing performed by independent security firms.
Scanned monthly by an Approved Scanning Vendor (ASV).
PCI Attestation of Compliance (AOC) is available for download.
91��Ƭ�� employs a cross-functional team responsible for oversight of PCI Compliance.

SOC Compliant

91��Ƭ�� Systems and Organisation Controls (SOC) Reports are independent third-party examination reports that demonstrate how 91��Ƭ�� achieves key compliance controls and objectives.
91��Ƭ�� SOC 3 Security, Availability & Confidentiality Report, available for Download.

Compliance Documents

The following documents are available to the public. Applicability to your environment needs to be assessed / approved by your auditors.

Privacy

91��Ƭ�� maintains a comprehensive privacy programme. To us, this means that although we are required by law or regulation to do certain things, we are continually evaluating whether we can and should do more.

We do not sell the personal information of our customers to third parties.
We have a full time legal and security team focused on privacy and security issues.
We participate in and comply with the EU-U.S. Privacy Shield Framework. You can find out more about our commitment to the EU-U.S. Privacy Shield Framework in our EU-US Privacy Shield Notice.
You can find our privacy policy at: eventbrite.com.au/privacypolicy.

Hosting Environment

Amazon EC2 hosts 91��Ƭ��'s production systems.

PCI-DSS Level 1 Service Provider
ISO 27001 certified
Independently verified and audited
SAS-70 Type II and SSAE16
site

Web and Mobile Application Development

91��Ƭ�� is committed to designing, building, and maintaining secure systems.

All applications are regularly scanned for common security vulnerabilities including the .
Regular training on Secure Coding Practices is provided. All engineers must attend training sessions.
No credit card information is permitted to be stored on any mobile device.
Use of encryption for both storage and transmission of sensitive information is regularly audited by the 91��Ƭ�� Security Team.
All web and mobile applications are primarily developed, tested, deployed, and maintained by a full-time, in-house engineering team.

Encryption

91��Ƭ�� uses strong encryption methods and key management procedures to ensure your sensitive information is protected.

All credit card information is encrypted with strong industry-standard cryptographic protocols such as AES and TLS while in transit through our systems.
91��Ƭ��'s website and APIs are accessible via a 256-bit SSL certificate issued by Digicert.
Credit card information is never stored after transaction authorisation.
Access to encryption keys is held by the smallest number of 91��Ƭ�� employees possible.

Our Organisation

91��Ƭ�� has taken appropriate measures to vet our employees.

All employees are subject to reference, education, and other personnel checks. Certain employees are also subject to detailed background checks.
91��Ƭ�� maintains an information security training programme that meets PCI-DSS standards and complies with the Massachusetts Privacy Law (201 CMR 17).
Knowledgeable full-time security personnel are on staff.
Require written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.

Incident Response

While we don't anticipate there ever being a breach of our systems, we know that no computer system is perfectly secure.

In the event of a breach of an 91��Ƭ�� information system, we have a detailed Incident Response plan in place.
Periodic testing of the response plan.
91��Ƭ�� has 24x7 monitoring of its security systems and alerts.

Research and Disclosure

If you discover a vulnerability with 91��Ƭ��'s information systems, report it to us first!

Do not attempt to harm 91��Ƭ��, its users, or customer's data.
Allow reasonable time for 91��Ƭ�� to resolve the issue before publishing findings publicly.
Report details to security@eventbrite.com.
Check for eligibility on the Security Reporting FAQ
Include full details and steps to reproduce.
Recognition by listing on the 91��Ƭ�� Security Wall of Fame
If you wish to encrypt your email, use 91��Ƭ�� Security's GPG Key:

Key ID: 351AC626
Key Type: RSA
Key Size: 4096
Fingertprint: 1809 8001 2CFF E338 E92D  8723 9CA7 08B5 351A C626
Email: security@eventbrite.com

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBE/iLWUBEADEkM+z/Oa2hBdiHKeDmeFdLlum5d0YGDKA75SWZ/MDlgC+sXZQIwrx9pVPkWjzWANoBsfdd5rq277UlO+TIzcegSmX/8qOQ7lkAhQCt6IFNS2JsTqizof94pNCr5EU0Be3FZHwqRfgSjqNH8zqlOoHNIgVCVpwfhIt08pGxQ8HsYVzZeWgymMbSURNB4qe6tUxsiW+/z+LmGUHhlKrcYgpsCJwofuRihgJ47D/SvkmnjHE8CpNVXgSOe/OxGkd/AbnYU+67d2p2GSlA4g3F0WLhT5W05zpcKI3RNOzaVeMo/xaVlBchmYMst0JhmIo39MTdtzNe4zzgslMrv4zqhVSMjoOa2H527asY3wB39nuyHMuNjwaEHQTnTnOqcFq8UhCe1B0LsvrUeH+1LVajcnd6X+uIww5a+3yKbJdJvEHvEOjGgrdrsAyMU89GG2JCduH/ZZq4rueZ1VH6NRpZNzda22EsVQNqFYLI840yVbzgEpNrQyD95Uj72KL59v8F7sFdQbxiAUlBCrRSzaDHn3N4FFj9PzHhBjlOFAcKcTQda0k3Q0pidwqSMIE65ES2Ykeo4/KVofAALOuyAbjX25r+7TkbJSne/fqtRIe5dymdg9r/QBnZTJfJMLNsBtxr79KNuA744COXZlzTQ4qdAtUSoVTLn79I1MJSf8wqvuh5QARAQABtCpTZWN1cml0eSBDb250YWN0IDxzZWN1cml0eUBldmVudGJyaXRlLmNvbT6JAjgEEwECACIFAk/iLWUCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJynCLU1GsYm1U0P/3T4MRl2BctVhVouuV90LpPhwhGear9yoVXM0bgZnTmITVRKQOD7cnxrXUKAhMd3AootFBpQ9L5+0sW4PtzwNhHzqt5PBChuiG/IVWWU5WxxrjBG4jb3xQ1MKxQFGj/sJboHXlPIAt3bDap39RxJggROJMqswHZj4xH60z/z31b5khoKUr4mK56xZviU3nDuVvR4J/hJ8o7R94nf7NidsgQSjNLWhGcGibj9XpVvE7l7YKG3vj+oSJ6pgBUzXN27xl9OamraIEwlJk8kPHlBGyZcew6n2shfG8mGF8Xv/XsZHTvebUJVZO1fZhIjNtT9ZBrRdN9v7YIEzyFyxAfoDgE95RZbV0H2Kgl5h5sHRx2ldRfmywm1tRx7FrTJRLUe8UXdTAZqgkRMp9x47VjYaiqLOAn9C6twgFl11rAARc9XJETsWTZm0RD6v6PljJgSuQWVsiKZGy6ir2e7+gxcPccbbUbij+YwWam0ymwfgMnTpHFKpGUdkBk4Y8iXucUJ/V4mKYmH5OFkG/2PIwdhkdpPj1slqU8pu5PrSFgY2lcKqq192gr7MvLJARVUGq3jElnhOgNB3cP0Eg7v0KoU0Bsuq4pDqfHpgE+uYMBkXW09uu6PDZVDpyEJbFxbpjIlqFej2kOM3yGDzOhRXNPFyAQmv72XqeGN37nqLx11WLR5uQINBE/iLWUBEADHcje1FAyryLoDVozWf8vV9snX99lpH8tUtSQOYA+4JUOjODm5OA0mzs4nlQun4Mn9QTl1A6g7bIrxE4rZeAvCyE27tqyyHUSDjs6j2ur5S9oDcRo2k44+0C7rGirjBLetZ3axQ15DP4FKPOE1Hs5EewhthiZkQ9DwbS1iXZjH2cPUPjwH+KVNP+L/TM7dWqLcqW/f5Eu0MxgQWajmkBqX2k1HTRmsYeKUqRZ8/7gr7gkbro5t0qbn8wPiJR2fIzN40ky9T705obM+AxcnLAGwJ/T/Y1zoEiECLC97t1om7V0cYQn4h0fqnuVJLGF/uMLW5hPp+2sOVuY5lPJS6zU5c+jRl/L6Xcbou5kuYW+v9RWc+ubfVer/qAW7LNnk4ILr+2YVQMBeMZqF04YSRrCe8IuzP/JDAssKKSWE/tEUMwnSr6m9MBF54RERIJk4zJ6jwIJTF532X0Z7Doi0trHKeHQGIiAzF4t4JBvei1b9B10eWy1XASu3DL4s0zfDck1Fozk8f1N3RqNfWi9eIO27AlGbjLGXiQCe8S7PIuIvNcYSSsxmsfz0bcldsKeVpEd+Iij3BD/orkXYcpypYQ4M6MsibtvtJti6jQUwsJghLxSdqKM8xsN1k+ojJi1VizguoYs245vmUjwqglGDQukzh+KVcF97rA5A4ZJ8KFkgiwARAQABiQIfBBgBAgAJBQJP4i1lAhsMAAoJEJynCLU1GsYmnXkQAKcPGqAgmWe5wLjfBde4gG8O2OSr33eu4vmkWRKQ6kLrl2DDHR4sv4P7tZZ/YFG/IZlOEBplTVlOvxzfW6IEuEajhw2DoXh2sO3de4soUli8M1XzceV+k5h+ZXt/7shNEoslMfdss1D84FGH33dUOzkgM6mUv2PfluoKOw47PeYAQPc4PuvkIiXBI0TGClRD47gyZRtegpg4lt5IaOTj6XhyTbOGHC0GsxC3IAELRbpj6r6yNfQn70/6xFLhG1EqkUF2Ps4mqZsIxzAWt1nFrvntpUKZec96aaKq977bM0PFWcLGNccfSEuZm2XbidjHbGvNx/d9d/nlKnMDyVeIy+OGqXB7lVowyt/DAYq0xbe/9zHXNTGR9isY2Ls/e2tDLLyWArBQ0hsQrASzYUIPq8XIV/Cqqv171sJqvKPhOLuu1brjpjgigIXPrlrUQ2Ef16DmMqciSNuRViFfrV4P7gSGXsiiClxWOH0TK5T5BUpHEzk6aGPO747tMRRsWxENi+Vk90xpjnQkw8JBa+tmGP1RxVnHBNfL1f34LfabVbF/pcFCWb3rHTEtkd0IzhWl4Vg8lGuuSmBFGCKtPVMBW4uq7FQDqjlFJV8RBRCmRiYjsEpiQlWDiWz38oek/sRC79mh0BmY0b83IUZUpX6Tbtv8beXLXL7xk6k68scDc8ou
=j7+z

-----END PGP PUBLIC KEY BLOCK-----

91��Ƭ��