Security
Last updated: May 2026
Infrastructure
EventEdIQ runs on managed infrastructure from providers with established security programs.
- Application hosting: Vercel (SOC 2 Type 2 compliant)
- Database: Supabase (PostgreSQL on AWS US-East, SOC 2 Type 2 compliant)
- Encryption in transit: TLS 1.2+ on all connections
- Encryption at rest: AES-256 (Supabase managed)
Authentication
- Invite-only access: No public self-registration. Accounts created via admin invitation only.
- Password hashing: bcrypt with industry-standard cost factor
- Session tokens: JWT with 1-hour expiry and automatic refresh
- Password reset: Time-limited, single-use email verification links
- Multi-factor authentication: TOTP-based MFA (authenticator apps) available upon request
Data Isolation
Each organization's data is isolated at the database level using PostgreSQL Row Level Security (RLS) policies. Users can only query, insert, update, or delete data belonging to their own organization.
This isolation is enforced by the database engine itself, not application code. Even if an application-level bug allowed a query without proper filtering, the database would reject access to another organization's data.
Input Validation and API Security
- Schema validation: All API endpoints that accept input validate it with Zod schemas before processing
- Authentication required: Every API endpoint checks authentication before executing
- Security headers: Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy on all responses
- Rate limiting: Sliding window rate limiting via Upstash Redis on sensitive endpoints (scheduling, scoring)
Monitoring
- Error tracking: Sentry captures and alerts on application errors in real time
- Uptime monitoring: External monitoring with alerting on downtime
- Health endpoint: Automated checks verify database connectivity, authentication services, and rate limiting status
- Activity logging: Key user actions (schedule saves, configuration changes) are logged with user identity for operational integrity
Automated Testing and CI
Every code change runs through an automated pipeline before deployment:
- Unit and integration tests: 1,400+ tests covering business logic, database queries, and API contracts
- End-to-end tests: 160+ Playwright tests exercising full user workflows in a real browser
- Dependency scanning:
npm auditruns on every build, blocking deployment on critical vulnerabilities - Static analysis: ESLint and TypeScript strict mode catch common errors before runtime
- Pre-push gate: Full CI suite runs locally before code can be pushed to the repository
Backups and Recovery
- Daily automated backups with point-in-time recovery (Supabase Pro)
- Application code version-controlled in Git with instant rollback via Vercel
Incident Response
In the event of a security incident affecting client data:
- Detect via Sentry alerts, uptime monitoring, or health endpoint checks
- Assess scope and determine what data and which clients are affected
- Contain the issue (revoke compromised credentials, patch vulnerability, isolate affected systems)
- Notify affected clients by email within 72 hours of becoming aware, consistent with GDPR requirements
- Remediate and report root cause and preventive measures to affected clients
What We Don't Have
For transparency:
- SOC 2 certification (we rely on Vercel's and Supabase's SOC 2 compliance for infrastructure)
- Penetration testing
- Bug bounty program
- Per-request audit trail
- On-premises deployment option
- SSO/SAML integration (email/password with optional MFA)
Third-Party Services
| Service | Purpose | Compliance |
|---|---|---|
| Vercel | Application hosting | SOC 2 Type 2 |
| Supabase | Database and authentication | SOC 2 Type 2 |
| OpenAI | AI scoring (ContentIQ only) | SOC 2 Type 2. API data not used for training. |
| Upstash | Rate limiting | SOC 2 |
| Sentry | Error tracking | SOC 2 |
| Resend | Transactional email (via Supabase) | SOC 2 |
We do not sell or share client data with third parties. AI processing (OpenAI) is used only for ContentIQ scoring. OperationsIQ scheduling runs entirely on our infrastructure with no external data sharing.
Questions
For security questions, contact us at josh@eventediq.com.
For data handling practices, retention policies, and your rights, see our Privacy Policy.