An honest summary of how Confanum approaches security, privacy, and compliance. We're a young company — we're not going to claim certifications we don't yet hold, and we will tell you which controls are in place today and which are on the roadmap.
TLS 1.2+ on every connection. AES-256 encryption at rest for stored data. Payment processor credentials encrypted with AES-256-CBC; cardholder data never touches our servers — Stripe, Square, and PayPal handle PAN directly.
Every event is scoped to its company. Server-side ownership verification on event-scoped routes. IDOR protection on all cross-tenant references. Per-route permission enforcement on 90+ route mounts.
Every money-touching action — ticket purchase, refund, transfer, comp — is recorded with actor, timestamp, and full context. Recursive secret redaction on every captured request. SOX-ready audit trail.
Eight role presets, eleven permission keys, server-enforced on every route. Privilege escalation prevention — admins can only grant permissions they themselves hold. Default for moderators without a preset is fail-closed.
GDPR + CCPA + CPRA: consent tracking, 30-day data access response window, right to deletion, data portability, in-app "Do Not Sell" opt-out, user-initiated account deletion from mobile.
Three-tier age gate (under 13 / 13–17 / 18+) blocks data collection from minors before it starts. Children's data is not used for advertising, profiling, or data sharing.
AWS multi-AZ deployment with managed databases (RDS), managed cache (ElastiCache), automated daily backups, point-in-time recovery, and active monitoring via New Relic + AWS CloudWatch. Data residency: United States.
CSRF tokens on every mutating route. Parameterized SQL — no string-built queries. DOMPurify XSS protection. Content Security Policy headers. WebSocket rate limiting. Bcrypt password hashing.
We are honest about what's not in place yet. These are the controls and certifications we are working toward, in approximate sequence:
Multi-factor authentication required on every admin login, no exceptions. TOTP and WebAuthn supported.
Automated daily reconciliation against Stripe, Square, and PayPal records — drift surfaces in alerts.
Engagement with a SOC 2 readiness platform (Drata or Vanta). Sub-processor register and DPAs on file. Quarterly DR drill cadence established.
Type II audit observation period; targeted Type II report by end of Q1 2027.
Roadmap dates are forward-looking and subject to change based on engineering capacity and customer requirements. We will update this page as milestones land.
Not yet. SOC 2 Type I targeted for Q3 2026, Type II for Q1 2027. We are happy to share our security questionnaire responses and walk through controls in detail.
"Compliance" is a legal opinion that depends on your specific use case. Confanum has the controls in place to support GDPR and CCPA obligations: consent tracking, 30-day data access response window, right to deletion, data portability, "Do Not Sell" opt-out. We are happy to provide a Data Processing Addendum for customers who need one.
United States, on Amazon Web Services. RDS for primary data, ElastiCache for performance caching, S3 for media assets and backups, CloudFront for content delivery.
Stripe, Square, and PayPal. You connect your own merchant account — funds go direct to your bank. Confanum never holds your money. Cardholder data never touches our servers; tokenized references only.
We don't publish a default SLA. Enterprise customers can negotiate a written SLA as part of their contract. Our infrastructure is multi-AZ on AWS with automated failover and active monitoring.
Email security@confanum.com. We respond to every report and disclose remediation transparently to affected customers.
We respond to every security questionnaire in writing within five business days. No NDA needed for orientation; we'll execute one for any data-room contents.