Security
Our approach to protecting your data and infrastructure
Effective: 2026-03-18
Version 1.0
1. Our Commitment
At Accelory, security is foundational — not an afterthought. We understand that our customers trust us with sensitive event data, guest personal information, and business-critical operations. This document outlines the measures we take to protect that trust.
2. Infrastructure Security
2.1 Hosting and Architecture
- Our Services are hosted on enterprise-grade cloud infrastructure with SOC 2 and ISO 27001 certified providers.
- Production systems run in isolated virtual private clouds (VPCs) with strict network segmentation.
- All infrastructure is provisioned and managed through infrastructure-as-code with full audit trails.
2.2 Network Security
- All external traffic is routed through DDoS-protected load balancers.
- Web Application Firewall (WAF) rules protect against OWASP Top 10 threats.
- Internal service-to-service communication uses mutual TLS.
- Network access follows the principle of least privilege.
2.3 Availability
- Multi-region deployment with automated failover.
- Target uptime of 99.9% for paid plans.
- Real-time monitoring and automated alerting for anomalies.
- Disaster recovery plan with tested backup restoration procedures.
3. Data Security
3.1 Encryption
| Context | Standard |
|---|---|
| Data in transit | TLS 1.3 (minimum TLS 1.2) |
| Data at rest | AES-256 encryption |
| Database backups | Encrypted with separate key management |
| API keys and secrets | Encrypted with hardware security modules (HSMs) |
3.2 Data Isolation
- Each customer's data is logically isolated at the application and database level.
- Enterprise customers may request dedicated database instances.
- Strict row-level security policies prevent cross-tenant data access.
3.3 Backup and Recovery
- Automated daily backups with 30-day retention.
- Point-in-time recovery capability within the retention window.
- Backups are encrypted and stored in a separate geographic region.
- Recovery procedures are tested quarterly.
4. Application Security
4.1 Secure Development
- Security reviews are part of every code change through mandatory pull request reviews.
- Static application security testing (SAST) runs on every build.
- Dependency scanning for known vulnerabilities with automated alerts.
- Regular developer security training.
4.2 Authentication and Access
- Passwords are hashed using bcrypt with appropriate cost factors.
- Multi-factor authentication (MFA) available for all accounts.
- OAuth 2.0 and OpenID Connect support for SSO.
- Enterprise SSO via SAML 2.0 available on Enterprise plans.
- Session tokens expire after configurable inactivity periods.
4.3 API Security
- API authentication via bearer tokens with granular scoping.
- Rate limiting and request throttling to prevent abuse.
- Request and response validation against strict schemas.
- Comprehensive API audit logging.
5. Organisational Security
5.1 Access Controls
- Principle of least privilege for all internal systems.
- Role-based access control (RBAC) with regular access reviews.
- Production environment access restricted to authorised personnel only.
- All administrative actions are logged and auditable.
5.2 Employee Security
- Background checks for employees with access to customer data.
- Security awareness training during onboarding and annually thereafter.
- Confidentiality and data protection agreements for all team members.
- Secure offboarding procedures including immediate access revocation.
6. Incident Response
6.1 Process
We maintain a documented incident response plan that includes:
- Detection — Automated monitoring and alerting systems.
- Triage — Severity classification and team mobilisation.
- Containment — Immediate actions to limit impact.
- Investigation — Root cause analysis and evidence preservation.
- Recovery — Service restoration and verification.
- Communication — Timely notification to affected customers.
- Post-mortem — Lessons learned and preventive measures.
6.2 Notification
In the event of a data breach affecting your personal data, we will notify you and relevant supervisory authorities within 72 hours as required by applicable data protection law.
7. Compliance
| Framework | Status |
|---|---|
| GDPR | Compliant |
| UK Data Protection Act 2018 | Compliant |
| SOC 2 Type II | In progress |
| ISO 27001 | Planned |
8. Vulnerability Disclosure
We welcome responsible security research. If you discover a vulnerability in our Services:
- Email: security@accelory.net
- Please include steps to reproduce, potential impact, and any supporting evidence.
- Do not access, modify, or delete data belonging to other users.
- Allow reasonable time for us to investigate and remediate before public disclosure.
We do not pursue legal action against researchers who follow responsible disclosure practices.
9. Contact
For security-related inquiries:
- Security Team: security@accelory.net
- Data Protection Officer: dpo@accelory.net
- Emergency: For urgent security incidents, include "URGENT" in the subject line.
Version History
1 version available