91¹ú²ú

• Registered with both and as a PCI-compliant Service Provider.
• Regularly audited by a Qualified Security Assessor (Coalfire, Inc.)
• Passes internal and external application and network penetration testing performed by independent security firms.
• Scanned monthly by an Approved Scanning Vendor (ASV).
• PCI Attestation of Compliance (AOC) is available for download.
• 91¹ú²ú employs a cross-functional team responsible for oversight of PCI Compliance.

• 91¹ú²ú Systems and Organization Controls (SOC) Reports are independent third-party examination reports that demonstrate how 91¹ú²ú achieves key compliance controls and objectives.
• 91¹ú²ú SOC 3 Security, Availability & Confidentiality Report, available for Download.

• We do not sell the personal information of our customers to third parties.
• We have a full time legal and security team focused on privacy and security issues.
• We participate in and comply with the EU-U.S. Privacy Shield Framework. You can find out more about our commitment to the EU-U.S. Privacy Shield Framework in our EU-US Privacy Shield Notice.
• You can find our privacy policy at: eventbrite.com/privacypolicy.

• PCI-DSS Level 1 Service Provider
• ISO 27001 certified
• Independently verified and audited
• SAS-70 Type II and SSAE16
• site

• All applications are regularly scanned for common security vulnerabilities including the .
• Regular training on Secure Coding Practices is provided. All engineers must attend training sessions.
• No credit card information is permitted to be stored on any mobile device.
• Use of encryption for both storage and transmission of sensitive information is regularly audited by the 91¹ú²ú Security Team.
• All web and mobile applications are primarily developed, tested, deployed, and maintained by a full-time, in-house engineering team.

• All credit card information is encrypted with strong industry-standard cryptographic protocols such as AES and TLS while in transit through our systems.
• 91¹ú²ú's website and APIs are accessible via a 256-bit SSL certificate issued by Digicert.
• Credit card information is never stored after transaction authorization.
• Access to encryption keys is held by the smallest number of 91¹ú²ú employees possible.

• All employees are subject to reference, education, and other personnel checks. Certain employees are also subject to detailed background checks.
• 91¹ú²ú maintains an information security training program that meets PCI-DSS standards and complies with the Massachusetts Privacy Law (201 CMR 17).
• Knowledgeable full-time security personnel are on staff.
• Require written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.

• In the event of a breach of an 91¹ú²ú information system, we have a detailed Incident Response plan in place.
• Periodic testing of the response plan.
• 91¹ú²ú has 24x7 monitoring of its security systems and alerts.

• Do not attempt to harm 91¹ú²ú, its users, or customer's data.

Reach out to security@eventbrite.com to request a responsible disclosure form