Security
at every layer.

All data flowing in and out of the Vowly Event platform is encrypted using industry-standard algorithms. We use TLS 1.3 with perfect forward secrecy for data in transit and AES-256 in GCM mode for data at rest in our primary database, file storage, and backups.

• TLS 1.3 for all client–server connections; HSTS preload list inclusion
• AES-256-GCM encryption at rest for Firestore, Cloud Storage, and backups
• Encrypted credential storage using bcrypt (work factor 12) and Argon2id for newer accounts
• Cryptographic key management via Google Cloud KMS with annual key rotation

We follow the principle of least privilege across all systems. Production access is restricted to a small group of engineers, requires multi-factor authentication, and every privileged action is logged for audit purposes.

• Role-based access control (RBAC) enforced across all internal tools
• Mandatory hardware security keys (FIDO2/WebAuthn) for production access
• Just-in-time access grants with automatic expiry (typically 4 hours)
• Comprehensive audit logging of all administrative actions
• Quarterly access reviews and automated offboarding within 1 hour of role change

Vowly Event runs on Google Cloud Platform with primary infrastructure in the europe-west3 (Frankfurt) region and multi-region replication across the EU. Our infrastructure is designed for resilience, scalability, and regulatory compliance with EU and UK data residency requirements.

• Cloud provider: Google Cloud Platform (ISO 27001, SOC 2 Type II, ISO 27017, ISO 27018)
• Primary region: europe-west3 (Frankfurt, Germany)
• Database: Cloud Firestore with multi-region replication (eur3)
• CDN & DDoS protection: Cloudflare with rate limiting and bot mitigation
• Daily encrypted backups with 35-day retention and quarterly restore drills

We monitor the platform 24/7 with automated alerting for anomalies, security events, and performance degradations. Our incident response team is on-call to address critical issues within minutes.

• Real-time security monitoring for unusual login patterns and credential stuffing attempts
• Application Performance Monitoring (APM) with anomaly detection
• Web Application Firewall (WAF) and rate limiting on all public endpoints
• Continuous vulnerability scanning for dependencies (npm audit, Snyk)
• Annual third-party penetration testing by CREST-accredited firms

Security is integrated into every stage of our software development lifecycle. We follow OWASP best practices and require all code changes to pass automated security checks before deployment to production.

• Mandatory peer code review for all changes; no direct commits to production branches
• Static Application Security Testing (SAST) on every pull request
• Software Composition Analysis (SCA) to identify vulnerable dependencies
• Automated security headers (CSP, X-Frame-Options, Referrer-Policy)
• Secret scanning and prevention via git pre-commit hooks

Despite our best efforts, no platform is immune to security incidents. If we detect a personal data breach, we follow a documented incident response plan and will notify affected users and the UK ICO within 72 hours, in accordance with UK GDPR Article 33.

• Documented incident response plan with defined severity levels
• On-call rotation with 15-minute response SLA for critical incidents
• Mandatory post-mortem and remediation for all P0/P1 incidents
• 72-hour breach notification commitment to supervisory authorities and affected users

Vowly Event is built on infrastructure with leading security certifications and is engineered to meet the requirements of multiple privacy and security frameworks.

• UK GDPR & EU GDPR — full compliance, including Article 30 records and DPIAs
• UK Data Protection Act 2018
• PCI DSS — Stripe handles all payment data; we maintain a SAQ-A scope
• Regular security reviews, dependency audits and hardening of our infrastructure
• SOC 2 Type II — infrastructure provider certification (Google Cloud)

We appreciate the security community's help in keeping our platform safe. If you discover a vulnerability, please report it to security@vowly.co with a clear description, reproduction steps, and your contact information. We commit to acknowledge reports within 48 hours and to work with you on responsible disclosure timelines.