Gatheris.

Trust

Security & Data Protection

Last updated: July 2026

Evaluating Gatheris for your organisation?

Gatheris handles guest lists on behalf of companies — names, email addresses, and RSVP responses of your employees, partners, and stakeholders. This page describes the concrete technical and organisational measures protecting that data, so your legal or IT team can review us without a meeting. Questions or documentation requests: hello@gatherisus.com.

1. Account Security

  • Password storage — passwords are stored only as one-way bcrypt hashes, never in plain text.
  • Two-factor authentication — authenticator-app (TOTP) 2FA is available on every account, with single-use recovery codes. Enabling or disabling 2FA requires re-authentication.
  • Session policy — sessions expire after 60 minutes of inactivity, enforced server-side. Each account has a single active session: a new sign-in supersedes the previous one.
  • Sign-in protection — login and 2FA endpoints are rate-limited (5 attempts per 15 minutes) to block credential-stuffing.

2. Application & Infrastructure Security

  • Encryption in transit — all traffic is served over HTTPS with HTTP Strict Transport Security (2-year max-age, preload).
  • Hardened headers — a strict, per-request nonce-based Content-Security-Policy, X-Frame-Options: DENY, and locked-down permissions headers on every response.
  • Upload validation — uploaded files are verified by content signature (magic bytes) before they touch storage, not just by file extension.
  • Access control — role-based permissions with organisation-scoped data isolation: every API route verifies the caller's organisation, so one client can never read another's events or guests.
  • Database defence in depth — Row-Level Security is enabled on every table in our PostgreSQL database.
  • Audit trail — administrative and data-sensitive actions are recorded in an append-only audit log.

3. Data Protection & GDPR

Your organisation remains the data controller for its guests; Gatheris processes guest data only on your behalf and on your instructions. Full details are in our Privacy Policy.

  • EU data residency — guest data lives in an EU-hosted PostgreSQL database.
  • Right to portability (Art. 20) — account holders can export their data as machine-readable JSON, self-service.
  • Right to erasure (Art. 17) — data-subject erasure runs as a single atomic operation across all tables and leaves an audit record.
  • Consent logging — consent events are recorded in an append-only ledger at signup.
  • Retention limits — an automated purge removes personal data that has exceeded its retention period.
  • Unsubscribe & suppression — every commercial email carries a one-click unsubscribe (RFC 8058). Unsubscribes, hard bounces, and spam complaints automatically suppress the address and cancel any queued email to it.

4. Payments

  • Stripe-hosted checkout — card details are entered on Stripe's PCI-DSS-certified pages and never touch Gatheris servers. We store no card numbers, expiry dates, or CVC codes.
  • Webhook integrity — payment events from Stripe are cryptographically signature-verified, with replay protection and event de-duplication.

5. Email Integrity

  • Authenticated sending — our sending domain is authenticated with SPF, DKIM, and DMARC.
  • Compliance headers — commercial email carries List-Unsubscribe headers; transactional email (tickets, confirmations) is kept strictly separate from commercial touchpoints.
  • Replies reach you — guest replies are routed to the event organiser's own address, not to a no-reply void.

6. Backups & Continuity

  • Managed backups — our database provider takes daily automated backups with a 7-day restore window.
  • On-demand exports — we additionally take full logical database dumps on demand, stored separately from the primary database, with a documented restore procedure.
  • Queue monitoring — the email pipeline is watched by automated health checks that alert the team if sending stalls.

7. Subprocessors

Gatheris relies on a small set of established infrastructure providers:

ProviderPurpose
VercelApplication hosting and content delivery
SupabasePostgreSQL database (EU region)
ResendEmail delivery
StripePayment processing
Google WorkspaceSupport mailbox

8. Where We’re Headed

We would rather tell you plainly what is on the roadmap than imply it already exists:

  • Certifications — Gatheris is not yet SOC 2 or ISO 27001 certified. Formal certification is on our roadmap as the company grows.
  • Data Processing Agreement — our data-processing terms, records of processing activities, and breach-response procedure are drafted and available for review on request. Formal DPA countersigning will be offered once our corporate entity is finalised.

9. Questions & Disclosures

For security questions, documentation requests, or to responsibly disclose a vulnerability, contact us at hello@gatherisus.com. Security reports are read directly by those who build Gatheris.

    Security & Data Protection — Gatheris | Gatheris