Compliance

Security & Compliance

How we protect payments, customer data, and the platform itself.

Certifications

Standard
Status
Auditor
SOC 2 Type II
In progress (target Q4 2026)
Vanta
PCI-DSS Level 1
Inherited via Stripe
Stripe (assessed quarterly)
GDPR (EU)
Aligned · self-assessed
In-house
CCPA / CPRA (California)
Aligned · self-assessed
In-house
PIPEDA (Canada)
Aligned · self-assessed
In-house

Payment Security

We never see your card numbers. Every payment is tokenized by Stripe before our servers see anything. We're PCI-DSS SAQ A — the lowest possible scope, because we never touch sensitive card data.

Encryption

All data in transit uses TLS 1.2+ (HTTPS everywhere). Data at rest is encrypted (AES-256) by our managed Postgres host (Supabase, on AWS infrastructure). Automated off-site database backups are on our pre-launch checklist.

Authentication

Buyer accounts use magic links (no passwords). Operator accounts (venue admins, artists, BandPass staff) use:

  • Email + password sign-in via Supabase Auth (8+ character minimum)
  • Server-managed sessions with token rotation
  • On the roadmap: two-factor auth, breached-password detection, and per-account IP allowlisting

Privacy

What we collect:

  • Account info (name, email)
  • Purchase history
  • Coarse device classification (mobile vs. desktop) — never fingerprinting
  • Anonymous analytics (page views, scroll depth) via rotating session IDs

What we don't collect:

  • No third-party trackers (no Facebook Pixel, no Google Analytics)
  • No fingerprinting (Canvas, WebGL, audio context)
  • No cross-site tracking cookies
  • No data sold to data brokers — ever

Data Ownership

Fans can download a complete export of their data at /my/data. Deletion requests are honored within 30 days. We never sell a fan's personal record, and fans control what they share at any time.

Responsible Disclosure

Found a vulnerability? Email security@thebandpass.com with details. Reports go straight to the team that owns the code, and critical issues are prioritized ahead of all other work.