Data & Security Overview Last modified: 8/11/2021 firstname.lastname@example.org
What personal or sensitive information does Everyspace collect, store, or use?
To balance the right user experience with the respect of personal privacy, Everyspace only collects the minimum amount of information required to keep the service operational. For our services, we need the following data to provide a great event experience for users.
Data collected includes:
Data collected by 3rd party vendors (unless opted out):
What 3rd party vendors are used?
|Name||Usage||Data collected||Opt-out available|
|Google Analytics||Anonymized page analytics||IP addresses|
|Helpscout||Customer support portal||IP addresses|
How do we handle data protection and privacy?
We apply industry best practices to protect against the OWASP 10. Direct access to our production database is limited to need-to-have employees.
Is data ever provided to 3rd parties?
Other than the services mentioned above, we never share data with 3rd parties.
Is Everyspace GDPR compliant?
While we don’t currently operate in the EU, we follow the spirit of data portability, privacy, and the right to be forgotten that is outlined in GDPR. We plan to be fully in compliance by Q4 2021.
Can we request permanent data deletion?
Yes. At the request of an authorized party, we support full deletion of all company data from our systems. We keep an anonymized log of deletion requests so we can delete from backups in the very rare event of a data restore.
Are Everyspace employees subject to NDAs?
Yes. All employees and contractors sign a confidentiality and invention assignment agreement as a condition of their employment. A copy of this agreement can be provided upon request.
Where are data and services hosted?
Everyspace is hosted on Google Cloud Platform (GCP). All authentication mechanisms are hosted securely via their Identity Platform.
What is the physical security of data centers?
GCP is an industry leader in server security, which you can read about in their Privacy and Security Overview.
How is data secured in transit?
Data is always secured and encrypted in transit via HTTPS and TLS encryption.
How is data secured at rest?
Data is encrypted at rest under the 256-bit Advanced Encryption Standard, and each encryption key is itself encrypted with a regularly rotated set of master keys.
How are secrets managed?
All secrets are encrypted through Google Cloud Key Management system. Secrets are injected into applications using SOPS, meaning keys are never exposed in plaintext. Most secrets are automatically rotated every 6 months.
What development practices are used?
We apply industry best practices to protect against the OWASP 10, and we review these practices quarterly. Direct access to our production database is limited to need-to-have employees.
SOC2 attestation of compliance
We are working with a certified outside auditor to achieve SOC2 compliance, and expect to achieve this in Q4 2021.
How are incidents handled?
In the event of a data loss, we have a comprehensive Data Recovery Process that the engineering team will follow. In the event of a data breach, we will immediately notify any affected clients and provide details of any exposed information.
Is there a data backup policy?
Yes. Our primary database is replicated to a hot standby and a nightly snapshot is taken.
What logs are stored?
We store logs of API requests and errors in our console. These are stored for 30 days, and they do not include any personally identifying information or private keys. These logs can be provided upon request.
How can we get further information?
You can reach out to our security team by contacting email@example.com.