PCI Compliance
AppointmentThing.com is provided by AddEvent, Inc. AddEvent uses Stripe as a vendor to handle credit card transactions securely using SSL. Stripe complies with the classification PCI Level 1 Service Provider. AddEvent completes Self Assessment Questionnaires in order to make sure we’re PCI-compliant in accordance with the tools provided by Stripe. AddEvent employs a team responsible for oversight of PCI Compliance.
Privacy
AddEvent maintains a comprehensive privacy program.
- We do not sell personal information of our customers to third parties.
- We employ a team handling legal and security concerns focusing on privacy and security issues.
- You can find our privacy policy at appointmentthing.com/privacy
Hosting Environment
Amazon EC2 hosts AddEvent's production systems. The production servers for AppointmentThing.com is located in Ireland.
- PCI-DSS Level 1 Service Provider
- ISO 27001 certified
- Independently verified and audited
- SAS-70 Type II and SSAE16
- Amazon AWS PCI Compliance site
Web and Mobile Application Development
AddEvent is committed to designing, building, and maintaining secure systems.
- All applications are regularly scanned for common security vulnerabilities.
- Regular training on Secure Coding Practices is provided. All engineers attend training sessions.
- No credit card information is stored on any of our servers. The data is hosted solely by our credit card processor Stripe.
- Use of encryption for transmission of sensitive information is audited by our security team.
- All applications are primarily developed, tested, deployed, and maintained by a full-time, in-house engineering team.
Encryption
AddEvent uses strong encryption methods and key management procedures to ensure your sensitive information is protected.
- All credit card information is encrypted with strong industry-standard cryptographic protocols such as AES and TLS while in transit through our systems.
- AddEvent's website and APIs are accessible via a 256-bit SSL certificate issued by Amazon.
- Credit card information is never stored after transaction authorization.
- Access to encryption keys is held by the smallest number of AddEvent employees possible.
Our Organization
- All employees are subject to reference, education, and other personal checks. Certain employees are also subject to detailed background checks.
- AddEvent maintains an information security training program that ensures our employees meet our Privacy Policy.
- Knowledgeable full-time security personnel are on staff.
- Require written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.
Incident Response
We record/store a very limited number of PII records. While we don't anticipate there ever being a breach of our systems, we know that no systems is perfectly secure.
- In the event of a breach in our systems, we have a detailed Incident Response plan in place. In case of any breach, we aim to send out a report to our users within a week.
Research and Disclosure
If you discover a vulnerability in any of AddEvent’s systems, please report it to us first.
- Do not attempt to harm AddEvent, its users, or customer's data.
- Allow reasonable time for AddEvent to resolve the issue before publishing findings publicly.
- Report details to security@appointmentthing.com.
- Include full details and steps to reproduce.
- We love anyone reporting <3. Thank you!