Skip to main content
Trust

Security & Privacy at Harpaston

Dernière mise à jour : 14 mai 2026 · Last updated May 14, 2026

How we protect your data and your guests' data — at the infrastructure, application, and process layers.

1. Hosting and data residency

Harpaston runs on an enterprise-grade managed cloud platform operated by a Tier-1 provider, with all application and database resources provisioned exclusively within the European Union.

Three fully segregated environments are operated: production, pre-production, and staging. No production data is ever copied into pre-production or staging.

2. Encryption

  • TLS 1.2 or higher enforced on all endpoints, with HSTS enabled.
  • All production data stored on storage with platform-managed at-rest encryption (AES-256).
  • Application secrets managed via authenticated encryption.

3. Access & identity

  • Multi-factor authentication enforced on all administrative platform access.
  • Invite-only operator accounts; no public self-serve signup.
  • Role-based access control at the application layer.
  • Two-factor authentication available for operator accounts.

4. Application security

  • Defense-in-depth design with multi-tenant isolation at the database layer.
  • Rate limiting on authentication and form endpoints.
  • Comprehensive HTTP security headers and parameter scrubbing in logs.
  • Automated CI checks on every change: dependency vulnerability scanning, secret scanning, mandatory code review, branch protection.

5. GDPR & privacy

Harpaston operates exclusively as a Data Processor (Article 28 GDPR) for all guest, attendee, and event participant personal data. We never act as Data Controller for this data.

All processing occurs within the European Union, and our sub-processors are documented publicly. We honor data subject rights within 30 days of validated Controller request, and we notify Controllers of personal data breaches without undue delay.

View our sub-processor list.

6. Operations & resilience

  • Public real-time status page: harpaston.instatus.com.
  • Daily automated backups within the same EU region as production data.
  • Disaster recovery plan documented and tested; the most recent restoration drill measured a Recovery Time Objective of 89 seconds.
  • Incident response runbook with severity matrix, escalation paths, and client communication templates.
  • Target service availability of 99.5% monthly, defined contractually per engagement.

7. Continuous internal audit

Our security program is built on the OWASP ASVS Level 2 standard, with continuous internal audit and remediation. Findings are prioritized in the engineering roadmap, and an external third-party penetration test is planned for Q4 2026.

8. Need our full security pack?

We share our Vendor Due Diligence Overview, CAIQ Lite v4 self-assessment, Data Processing Agreement, and detailed control framework with commercial counterparties under NDA.

Request our full security pack →

Last updated — version 1.0.

For specific security questions, write to security@harpaston.com.