Legal

Security

Last updated: March 2026

PCI DSS Level 1

via Stripe

GDPR Compliant

EU data residency

EU Data Hosting

Frankfurt region

SOC 2 Infrastructure

Hosted on Vercel

Your data is yours

We never sell, share, or monetise your data. You can export or delete everything at any time. When you delete your account, your data is erased within 30 days.

AI providers don't train on your data

Our AI providers (Google Gemini, OpenAI, Anthropic) process data under strict Data Processing Agreements. None of them use your data to train their models.

Infrastructure

The Eventually platform is hosted on Vercel, which holds SOC 2 Type II certification — independently verified controls for security, availability, and confidentiality. Our database runs on Supabase in the EU (Frankfurt) region, ensuring that data remains within the European Economic Area in compliance with GDPR data residency requirements. We do not operate our own servers; all underlying infrastructure is managed by certified cloud providers.

Data encryption

We apply encryption at every layer:

  • In transit — all communication between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and use HSTS to prevent downgrade attacks.
  • At rest — all data stored in our database is encrypted using AES-256. Backups are also encrypted and stored in the EU region.

Payments

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor — the highest level of certification available in the payments industry. Eventually never stores, transmits, or has access to your raw card numbers. Payment data flows directly between your browser and Stripe's secure systems. For more details, see Stripe's security documentation.

Access control

We apply strict access controls throughout the organisation and platform:

  • Role-based access control (RBAC) — users are assigned roles (organizer, attendee, admin) with the minimum permissions required for their function.
  • Principle of least privilege — internal team access to production systems is limited to engineers who require it for their role, and is reviewed regularly.
  • Multi-factor authentication — MFA is enforced for all internal access to production infrastructure.
  • Audit logging — privileged actions are logged and monitored for anomalous activity.

Vulnerability disclosure

We take security reports seriously. If you discover a potential vulnerability or security issue in the Eventually platform, please report it responsibly to us before disclosing it publicly. Email your findings to hello@eventually.one with the subject line "Security Disclosure." We will acknowledge your report within 2 business days and aim to resolve confirmed vulnerabilities within 90 days. We will not take legal action against researchers who disclose in good faith.

Uptime

We target 99.9% uptime for the Eventually platform. Scheduled maintenance is performed during low-traffic windows and communicated in advance where possible. In the event of an incident, we will post updates promptly. For questions about platform reliability or to report an outage, contact hello@eventually.one.