▸ Compliance
Security & Compliance
How we protect payments, customer data, and the platform itself.
Certifications
Payment Security
We never see your card numbers. Every payment is tokenized by Stripe before our servers see anything. We're PCI-DSS SAQ A — the lowest possible scope, because we never touch sensitive card data.
Encryption
All data in transit uses TLS 1.2+ (HTTPS everywhere). Data at rest is encrypted (AES-256) by our managed Postgres host (Supabase, on AWS infrastructure). Automated off-site database backups are on our pre-launch checklist.
Authentication
Buyer accounts use magic links (no passwords). Operator accounts (venue admins, artists, BandPass staff) use:
- Email + password sign-in via Supabase Auth (8+ character minimum)
- Server-managed sessions with token rotation
- On the roadmap: two-factor auth, breached-password detection, and per-account IP allowlisting
Privacy
What we collect:
- Account info (name, email)
- Purchase history
- Coarse device classification (mobile vs. desktop) — never fingerprinting
- Anonymous analytics (page views, scroll depth) via rotating session IDs
What we don't collect:
- No third-party trackers (no Facebook Pixel, no Google Analytics)
- No fingerprinting (Canvas, WebGL, audio context)
- No cross-site tracking cookies
- No data sold to data brokers — ever
Data Ownership
Responsible Disclosure
Found a vulnerability? Email security@thebandpass.com with details. Reports go straight to the team that owns the code, and critical issues are prioritized ahead of all other work.