Security & Compliance

Built on trusted infrastructure.
Designed for sensitive data.

EasyVirtualFair powers virtual career fairs for universities, governments and Fortune 500 employers. Our platform runs on SOC 2 Type II and ISO 27001 certified infrastructure, and our internal security program is aligned with SOC 2 Trust Service Criteria, ISO 27001 controls, and GDPR.

Request Security Overview See compliance status →
Powered by certified infrastructure
Netlify
SOC 2 Type II · ISO 27001
Stripe
PCI DSS Level 1
Google Cloud
SOC 2 · ISO 27001 · 27018
GDPR aligned
EU data residency

Five pillars of our security program

Our practices are mapped to the same Trust Service Criteria used by SOC 2 auditors and to the Annex A controls of ISO/IEC 27001:2022.

Security

Encryption in transit (TLS 1.3) and at rest (AES-256). MFA enforced. Least-privilege access. Centralized logs.

Availability

Global CDN, redundant hosting, automated backups and a documented incident response process.

Confidentiality

Customer data is logically segregated. Access is signed, audited and reviewed quarterly.

Processing integrity

Validated forms, signed payment links via Stripe, and webhook reconciliation across our automation stack.

Privacy

GDPR & CCPA aligned. Granular consent. EU data residency available on request for European clients.

Compliance & framework alignment

We are transparent about what is certified, what is in progress, and what is inherited from our infrastructure providers.

SOC 2

Our security program is designed and operated in alignment with the SOC 2 Trust Service Criteria (Security, Availability, Confidentiality).

SOC 2 Type I — readiness in progress
Infra: Netlify & Google Cloud SOC 2 Type II audited

ISO/IEC 27001

Internal controls mapped to ISO/IEC 27001:2022 Annex A — including access control, cryptography, supplier security and incident management.

Aligned
Infra: Netlify, Google Cloud & Stripe ISO 27001 certified

GDPR & CCPA

Lawful basis, DPAs, sub-processor list, EU data residency option, and granular consent management for attendees.

Aligned

PCI DSS

All card payments are processed by Stripe (PCI DSS Level 1). EasyVirtualFair never stores card data on its own systems.

Inherited via Stripe
Plain-language note. EasyVirtualFair is not currently SOC 2 or ISO 27001 certified as a company. Our internal program is built and operated in alignment with those frameworks, and our underlying infrastructure providers (Netlify, Stripe, Google Cloud) hold the certifications stated above. A SOC 2 Type I audit is in progress — request our security overview document for current status, sub-processor list and audit timeline.

Controls we operate today

A summary of the technical and organizational controls in place. The full control matrix is available on request.

Access & identity

  • MFA enforced on all admin accounts
  • SSO via Google Workspace
  • Role-based access, reviewed quarterly
  • Onboarding & offboarding checklists

Data protection

  • TLS 1.3 in transit, AES-256 at rest
  • Daily automated backups
  • Logical tenant segregation
  • Data retention & deletion policy

Application security

  • Secure SDLC with peer code review
  • Dependency scanning & patching
  • Secrets managed in vault, never in code
  • Annual penetration test (third party)

Operations

  • Centralized logging & alerting
  • 24/7 incident on-call during go-live
  • Documented incident response plan
  • Business continuity & DR procedures

Vendor management

  • Sub-processor inventory, public on request
  • DPAs signed with all data processors
  • Annual vendor security review
  • Preference for SOC 2 / ISO 27001 vendors

People & policy

  • Information Security Policy
  • Acceptable Use & Access Control Policy
  • Confidentiality agreements with all staff
  • Annual security awareness training

Frequently asked security questions

Short answers for procurement, legal and IT teams.

Is EasyVirtualFair SOC 2 certified?

SOC 2 is not a certification — it is an attestation report issued by a CPA firm. Our internal program is aligned with the SOC 2 Trust Service Criteria, and our SOC 2 Type I audit is in progress. Our hosting providers (Netlify, Google Cloud) are SOC 2 Type II audited. Email security@easyvirtualfair.com to request our current status letter.

Is EasyVirtualFair ISO 27001 certified?

Our information security program is mapped to ISO/IEC 27001:2022 Annex A controls, but EasyVirtualFair is not currently certified as a company. Our infrastructure providers (Netlify, Stripe, Google Cloud) are ISO 27001 certified, which covers hosting, payments and identity layers.

Where is data hosted? Can it stay in the EU?

Default hosting is via Netlify and Google Cloud. EU data residency is available on request for European clients — we will deploy your event into EU regions and sign the corresponding DPA.

How is payment data handled?

All card payments are processed by Stripe (PCI DSS Level 1). Card numbers, CVCs and full PANs never touch EasyVirtualFair systems.

Can I get the security overview document or sub-processor list?

Yes. Email security@easyvirtualfair.com and we will send our Security Overview, sub-processor list and SOC 2 progress letter under NDA.

How do you handle security incidents?

We follow a documented incident response plan: detect, contain, eradicate, recover and notify. Affected customers are notified within the timelines required by GDPR (72 hours for personal data breaches) and by their own contractual SLAs.

Talk to our security team

Procurement questionnaire, vendor risk review, DPA, or a copy of our Security Overview — we usually reply within one business day.