Confetti logo

Information Security Policy

Updated: 2024-02-13

Ongoing confidentiality, integrity, availability, and resilience of processing systems and services

We use multiple external monitoring systems to ensure that our systems are behaving as expected at all times. We also use automatic restarts and automatic scaling of server resources to handle traffic spikes. We use source version control systems and code reviews to maintain the integrity of the source code.

Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

The database is continuously backed up and stored encrypted at a different location from the main database and can be restored in a short time frame.

Processes for regularly testing, assessing, and evaluating the effectiveness of operational measures to ensure the security of the processing

We use industry-standard third-party tools to monitor any dependencies in the source code and automated testing to ensure that the systems behave as expected. The systems are reviewed based on the OWASP standard.

User identification and authorization

Users are identified using email and password. Confetti has a role-based authorization system to ensure that a user only has access to authorized data. The users can be managed and disabled by an admin in Confetti. Confetti offers two-factor authentication (2FA) in certain plans using OTP with SMS or an authenticator app.

Protection of data during transmission

Confetti requires HTTPS/TLS1.2 from the end-user to ensure that the data is encrypted during transmission.

Protection of data during storage

The database containing personal data and the backups thereof are stored encrypted.

Physical security of locations at which personal data are processed

We use trusted hosting providers with very high security standards.

Event logging

We use access logging in all web systems that are stored separately from the systems themself.

System configuration

All source code is version-controlled using GIT, including the default configuration. Sensitive configuration keys are stored separately and encrypted in a key management system.

Assurance of processes

We document critical internal processes, code reviews, and automated testing. The activities are logged in order to ensure traceability and accountability.

Data minimization

The attendee data collected is configurable in Confetti.

Data quality

We use a replicated relational database management system together with validations of all external data input, including end-user input, to ensure data quality.

Limited data retention

The data retention is configurable in Confetti, so personal data is not stored longer than needed after an event.

Traceability

User interactions with Confetti are logged so that all requests and subsequent events can be traced to the user requesting them.

Data portability and ensuring erasure

An attendee to an event can request the data saved in Confetti by the data controller. The attendee can also request that the data be deleted. Confetti will then erase all personal data the data controller has saved regarding the user and notify the data controller so that the data controller can take further measures to ensure complete data erasure in their organization. Personal data may still be stored based on legitimate interest, for example, related to payments.

Access and identity management

We use encrypted key management systems with access control to ensure that access always can be given according to the principle of least privilege. We have role-based authorization systems to ensure that only those in the organization who need it have minimal required access to the source code and production systems.

Encryption standards

In this document, encrypted refers to data encrypted using secure encryption algorithms and proper key management as described by NIST SP 800-57. This ensures that encrypted data is secure and protected against unauthorized access.

Role-based access controls

All access to our systems is authorized using role-based access control according to the principle of least privilege. Roles can be assigned and revoked so that a user’s access is always aligned with the minimal required access.

Technical and practical solutions to investigate suspicions regarding unauthorized processing of or access to personal data

We use access logging to see which requests to Confetti have been made by which user. All actions taken by users are made traceable by using centralized and searchable logs, which enables Confetti to investigate suspicious behavior and take action in order to protect the system and customer data.

Process for notifying the controller

In the event of unauthorized processing, unauthorized access, or unauthorized disclosure, destruction, or alteration of personal data the controller will be notified by email to the admins and owner of the organization/workspace in Confetti.