Security

PCI Compliance

AppointmentThing.com is provided by AddEvent, Inc. AddEvent uses Stripe as a vendor to handle credit card transactions securely using SSL. Stripe complies with the classification PCI Level 1 Service Provider. AddEvent completes Self Assessment Questionnaires in order to make sure we’re PCI-compliant in accordance with the tools provided by Stripe. AddEvent employs a team responsible for oversight of PCI Compliance.

Privacy

AddEvent maintains a comprehensive privacy program. 

  • We do not sell personal information of our customers to third parties.
  • We employ a team handling legal and security concerns focusing on privacy and security issues.
  • You can find our privacy policy at appointmentthing.com/privacy

Hosting Environment

Amazon EC2 hosts AddEvent's production systems. The production servers for AppointmentThing.com is located in Ireland.

  • PCI-DSS Level 1 Service Provider
  • ISO 27001 certified
  • Independently verified and audited
  • SAS-70 Type II and SSAE16
  • Amazon AWS PCI Compliance site

Web and Mobile Application Development

AddEvent is committed to designing, building, and maintaining secure systems.

  • All applications are regularly scanned for common security vulnerabilities.
  • Regular training on Secure Coding Practices is provided. All engineers attend training sessions.
  • No credit card information is stored on any of our servers. The data is hosted solely by our credit card processor Stripe.
  • Use of encryption for transmission of sensitive information is audited by our security team.
  • All applications are primarily developed, tested, deployed, and maintained by a full-time, in-house engineering team.

Encryption

AddEvent uses strong encryption methods and key management procedures to ensure your sensitive information is protected.

  • All credit card information is encrypted with strong industry-standard cryptographic protocols such as AES and TLS while in transit through our systems.
  • AddEvent's website and APIs are accessible via a 256-bit SSL certificate issued by Amazon.
  • Credit card information is never stored after transaction authorization.
  • Access to encryption keys is held by the smallest number of AddEvent employees possible.

Our Organization

  • All employees are subject to reference, education, and other personal checks. Certain employees are also subject to detailed background checks.
  • AddEvent maintains an information security training program that ensures our employees meet our Privacy Policy.
  • Knowledgeable full-time security personnel are on staff.
  • Require written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.

Incident Response

We record/store a very limited number of PII records. While we don't anticipate there ever being a breach of our systems, we know that no systems is perfectly secure.

  • In the event of a breach in our systems, we have a detailed Incident Response plan in place. In case of any breach, we aim to send out a report to our users within a week.

Research and Disclosure

If you discover a vulnerability in any of AddEvent’s systems, please report it to us first.

  • Do not attempt to harm AddEvent, its users, or customer's data.
  • Allow reasonable time for AddEvent to resolve the issue before publishing findings publicly.
  • Report details to security@appointmentthing.com.
  • Include full details and steps to reproduce.
  • We love anyone reporting <3. Thank you!