Security & Compliance

Your data, your privacy, our priority.

Splash's commitment to trust, transparency, and compliance protects your events and data.

Data Protection

All data in Spash is treated as confidential and protected while in transit and at rest.

Network communications in and out of Splash are encrypted with TLS 1.2/1.3 using only secure ciphers. All data is encrypted at rest using industry standard AES-256 encryption.

Network Security

Splash’s network infrastructure is hosted by AWS in two regions: AMER and EMEA.

Each region uses multiple availability zones for disaster recovery and resilience. Network access is controlled through firewalls and virtual private networks (VPNs), and a combination of perimeter and endpoint security controls are used to protect customer data and prevent unauthorized access or abuse. Intrusion detection and data loss prevention solutions are also in place to alert our security team of any suspicious activity, in real-time.

GDPR Compliance

Splash complies with GDPR and all local laws and contractual obligations when considering IT systems.

As a company, Splash complies with GDPR and all local laws and contractual obligations when considering IT systems. As a platform, Splash enables our customers, as data controllers, to remain in compliance with GDPR and other cybersecurity and privacy acts and standards, such as CCPA, CASL, etc.

Single Sign-On

Splash supports Oauth and Security SAML SSO configurations for secure login.

SSO can also be enabled on specific Splash pages to gate event content. Verified partners include Okta, Azure, ADFS, Google Auth, Zephr, Auth0, ForgeRock, and PING.

EU–US and SWISS–U.S. Privacy Shield Certified
We are certified in both EU-U.S. Privacy Shield and SWISS-U.S. Privacy Shield. See our certification here.
SOC 2
Splash is compliant with Service Organization Controls standards for operational security.
PCI DSS
Splash is compliant with the Payment Card Industry Data Security Standard (PCI DSS).
Have questions or need additional information? Contact us at security@splashthat.com

Brand Compliance

Your brand, your rules.

Maintain brand integrity across the entire attendee journey.
Build a library of custom, on-brand templates to ensure everyone on your team hosts events that look and feel like an extension of your homepage  — regardless of their department or location.
Ensure legal requirements are always met.
Design custom templates with built-in legal headers and footers that include your company’s privacy policy, terms & conditions, contact information, security practices, disclaimers, and more.
Uphold your brand voice across every touchpoint.
Customize every attendee interaction in your templates – landing page, emails, confirmations, and more – with the brand voice your audience knows and trusts. Save and share these templates across your team to create a consistent brand voice across all your events.

Data Compliance

Secure data collection, simplified.

Standardize data collection from across your event program.
Designate a default registration form for your entire program with privacy and compliance requirements built-in. If the legal landscape changes, you can edit the form in one place and all your events will be updated automatically.
Capture attendee consent.
Include an opt-in checkbox and a link to your privacy policy on everything from your RSVP forms to your emails to your digital check-in.
Enforce GDPR and CCPA Protocol.
Customize terms and conditions, privacy policies, opt-in agreements, and other registration requirements based on each end attendee’s location.

Access Control

Centralized permissions management.

Control event permissions across your team.
Assign team members varying levels of access to different event processes, like event creation, integration management, check-in capabilities, and more, based on their specific roles.
Ensure every event is on-brand and compliant.
Centrally manage your brand, registration forms, and landing page templates to ensure every team member only creates events using approved, up-to-date marketing assets. This level of control extends to every digital touchpoint in the attendee journey.
Restrict event access based on team, region, and more.
Create a top-down group hierarchy to control which events and data each user can see and work on. As a rule, admins can see and edit everything while event hosts can only work on the events belonging to their group.

FAQ

Security & Compliance

Where are Splash data centers located?
Splash is a Software-as-a-Service hosted on Amazon Web Services. All data is stored in a cloud-based RDS Database on AWS servers located in the United States of America, AWS US- East-1. For our EU based customers, all data is stored in an RDS Database on AWS servers located in Germany, EU-Central-1.
Does your team have an incident response plan?
Yes. Splash's incident response plan points out any critical company technology and explains the necessary measures needed in order to shut down, restart, or recover the service to our customers. Upon request, we are able to share a copy of our Disaster Recovery and Business Continuity Plan.
Do you store backups? Where? How often?
Backups are stored within Amazon Web Services infrastructure, located within the United States and Germany, depending on the location of customer data. Failover is done through AWS availability zones, which are geolocated near each other but not the same physical system.
How long is data retained in your system?
By default, data is permanently retained in Splash’s records. Upon direct request from customers, data deletion from live databases and backups is available.
Do you have a SOC2 type II or ISO 27001 certification report?
Splash completes an annual SOC 2, Type 2 audit. Details of the most recent audit report can be shared upon the signature of a mutual NDA.
How do you manage vulnerabilities in your application?
In addition to static code analysis, Splash also conducts daily dynamic code analysis scans. Vulnerabilities identified are entered into an issue tracking system and assigned to the appropriate teams for remediation based on our SLAs. Additionally, we have a bug bounty program on HackerOne, where security researchers can identify and report any potential security issues to us.
Is data ever transferred and if so what agreements are in place for that data transfer?
Splash follows best practices in alignment with GDPR regulation to protect any data that may be transferred out of the EU. View a list of subprocessors and locations here.
See Splash in action. Get started today.