Security
We take security seriously — not as a checkbox, but as a core part of the product. Here’s how we protect your organization’s data.
How we protect your data
HTTPS everywhere
All traffic is encrypted with TLS 1.2+. HTTP requests are automatically upgraded to HTTPS. HSTS is enforced.
HMAC-signed tickets
QR codes on tickets use time-windowed HMAC-SHA256 signatures. Codes rotate every 30 seconds, making screenshots useless at the door.
CSRF protection
All authenticated mutations require CSRF tokens. We use the __Host- cookie prefix to prevent subdomain attacks.
Isolated tenants
Each organization's data is scoped by orgId at the database query level. There is no way for one org's data to appear in another's context.
No advertising trackers
We don't use Google Analytics, Facebook Pixel, or any third-party advertising scripts. Zero cross-site tracking.
Dependency updates
We monitor our dependency tree for security vulnerabilities and apply patches promptly.
Responsible disclosure
If you discover a security vulnerability in SignUpSpree, please report it to us responsibly before public disclosure. We will acknowledge your report within 48 hours and work to address it promptly.
Report security issues to: security@signupspree.com
Please include as much detail as possible: steps to reproduce, affected URLs, and the potential impact. We do not have a formal bug bounty program at this time, but we will credit researchers in our changelog with their permission.
Infrastructure
SignUpSpree runs on dedicated server infrastructure. Application and database servers are isolated from each other. All data is stored in the United States. Database backups are encrypted and retained for 7 days.
For questions about our security posture, compliance requirements, or data processing, contact security@signupspree.com.