Security in every layer of the platform
Selling tickets means earning trust — from organisers and visitors alike. We earn that trust with technology, not promises.
From logging in to check-in at the door: every step is designed to prevent abuse. Here is exactly how we do it — without jargon where it is not needed.
Six layers of security
Concrete measures in the technology, from the first click until after the event.
Passwordless + two-factor verification
You log in with a secure, short-lived login link. On an unknown device we additionally ask for a verification code, and organisers can enable 2FA with an authenticator app. A password database that can leak simply does not exist with us.
Encryption, in transit and at rest
All traffic runs over TLS (https). On top of that, sensitive data such as two-factor keys and payment connections are stored encrypted in the database — even in case of a breach they remain unreadable.
A separate database per organisation
Every organisation gets a fully isolated database. Your event and visitor data is physically separated from that of other organisers — cross-organisation data leaks are ruled out by design.
Immutable audit log
Sensitive actions are recorded in a cryptographically chained ledger that cannot be altered or erased afterwards. Who did what and when is always verifiable.
Payment details never touch our platform
Payments run through a certified European payment provider (PCI-DSS). Card and account details are processed there and never end up on our servers.
Fraud-resistant tickets
Every ticket carries a unique, unguessable QR code that is valid only once at the entrance. Resale runs through the platform: the old ticket is invalidated and the buyer receives a fresh code — copies are worthless.
Security in detail
For procurement teams, data protection officers and anyone who wants to look further: how the platform is hosted, how we protect data and which parties we work with.
Hosting & infrastructure
MijnEvent runs entirely within the European Union, on serverless Amazon Web Services infrastructure in Frankfurt (eu-central-1), managed through Laravel Vapor. There are no self-managed servers that age or go unpatched: the underlying systems are continuously updated by AWS.
EU region Frankfurt
Databases, file storage and queues live in the AWS Frankfurt region. Organiser and visitor data does not leave the EU for storage.
Serverless scalability
The platform scales automatically with peak traffic, for example when ticket sales open. No overloaded server going down at the busiest moment.
A separate database per organisation
Every organisation has a physically isolated database. A fault or breach at one can never spill over into another's data.
Data security & access control
Data is encrypted in transit and at rest, and access is limited to what is strictly necessary.
Encryption in transit
All traffic runs over HTTPS with TLS 1.2/1.3. Unencrypted connections are not accepted.
Encryption at rest
Databases and file storage are encrypted at the disk level. Extra-sensitive fields — such as 2FA keys and payment connections — are additionally encrypted at the application layer.
Secrets outside the code
API keys and credentials never live in the source code, but in a shielded secrets environment.
Least privilege & MFA
Access to production systems is limited to those who need it, always with multi-factor authentication. Sensitive actions are recorded in the immutable audit log.
Software development
Security is built into the development process, not just the end product.
Private source code
The source code lives in private repositories, accessible only to the development team.
Automated tests & static analysis
Every change passes an automated test suite and static code analysis before it goes live.
Dependency monitoring
Third-party software packages are tracked and updated as soon as security patches are released.
Vulnerability reports
Through responsible disclosure (see the bottom of this page) researchers can report vulnerabilities confidentially.
Back-ups & continuity
An event has no second chance — the platform has to be there, even when something goes wrong.
Daily encrypted back-ups
All databases are backed up automatically every day, encrypted and stored within the same EU region.
Point-in-time recovery
Databases can be restored to a specific moment in time, not just to the latest nightly back-up.
Redundant infrastructure
The infrastructure is spread across multiple data centres (availability zones) within the Frankfurt region; the loss of one location does not take the platform down.
NIS2 & the Dutch Cyber Security Act
More and more organisers — municipalities, educational institutions, larger companies — fall under NIS2 (EU 2022/2555) and the Dutch Cyber Security Act, and must assess their suppliers accordingly. The table below shows, per measure from Article 21(2), how MijnEvent implements it.
| Requirement (NIS2 art. 21(2)) | How MijnEvent implements it |
|---|---|
| Policies on risk analysis and information system security | Risk-driven approach with documented security measures at every layer of the platform. View measure ↓ |
| Incident handling | A fixed incident response process with timelines for containment, notification and reporting. View measure ↓ |
| Business continuity, back-ups and disaster recovery | Daily encrypted back-ups, point-in-time recovery and redundant infrastructure across multiple data centres. View measure ↓ |
| Supply chain security | Deliberately chosen, predominantly European sub-processors with data processing agreements; an up-to-date overview on this page. View measure ↓ |
| Security in development and maintenance, including vulnerability handling | Automated tests, static analysis, dependency monitoring and a responsible disclosure policy. View measure ↓ |
| Procedures to assess the effectiveness of measures | Continuous automated checks on every change and an evaluation after every incident. View measure ↓ |
| Cyber hygiene and training | Least privilege, multi-factor authentication and a team where security is a fixed part of the development process. View measure ↓ |
| Policies on cryptography and encryption | TLS 1.2/1.3 for all traffic, encryption at rest and application-layer encryption for extra-sensitive fields. View measure ↓ |
| Human resources security, access control and asset management | Strict access control to production systems and an immutable audit log of sensitive actions. View measure ↓ |
| Multi-factor authentication and secured communications | Passwordless login with device verification, 2FA for organisers and encrypted connections. View measure ↓ |
Do you, as an organiser, fall under NIS2 or the Dutch Cyber Security Act yourself and need additional information or a supplier statement for your supplier assessment? Email us at security@mijnevent.nl — we are happy to help.
Incident response
If, despite everything, something does go wrong, we follow a fixed process — transparent towards organisers and, where required, towards the regulator.
-
< 24 hours
Detection & containment
The incident is investigated and contained: affected systems are isolated and abuse is stopped.
-
Immediately
Informing affected organisers
As soon as it is clear which organisations are affected, we inform them directly — with what is known and what we are doing.
-
< 72 hours
Notifying the Dutch Data Protection Authority
In case of a data breach posing a risk to data subjects, we notify the Autoriteit Persoonsgegevens within 72 hours, as required by the GDPR.
-
< 1 month
Final report
Affected organisers receive a final report: cause, impact, measures taken and what we are improving structurally.
-
Ongoing
Registration & evaluation
Every incident is recorded and evaluated; lessons learned flow back into the security measures.
Sub-processors
For specific parts of the service we engage specialised parties. We deliberately choose European parties where possible, and put data processing agreements in place with every sub-processor.
| Sub-processor | Purpose | Data | Location |
|---|---|---|---|
| Mollie B.V. | Payment processing (Mollie Connect) | Name, email address and payment data; card and account details never touch our servers (PCI-DSS) | EU (Netherlands) |
| Amazon Web Services | Hosting, databases, file storage and queues | All platform data: accounts, orders, tickets | EU (Frankfurt) |
| Laravel (Vapor) | Deployment and infrastructure management | Configuration and deployment metadata; customer data stays in the EU | US (management) |
| Lettermint | Transactional email: tickets, login links, verification codes and confirmations | Name, email address and ticket/order contents | EU |
| NottaSocket | Real-time updates: sales counts, queue positions and check-ins | Limited event metadata; no personal data of visitors | EU (Stockholm) |
| Cloudflare, Inc. | Rendering ticket PDFs and social preview images | Visitor name, event details and QR code, only during rendering | US (EU data centres; DPF/SCCs) |
| ClearAnalytics | Privacy-friendly visitor analytics, without cookies | Anonymised visit data | EU |
| Bunny.net (Bunny Fonts) | Font CDN | IP address when fonts are loaded | EU (Slovenia) |
This list is updated whenever something changes. In case of substantial changes we inform organisers in advance. The agreements on data processing are laid down in our data processing agreement.
Version 1.0 · Last updated: 11 June 2026 · Assessed for alignment with NIS2 (EU 2022/2555), the Dutch Cyber Security Act, ISO/IEC 27002:2022 and the GDPR.
Found a vulnerability? Tell us.
No system is perfect — ours included. If you have discovered a weakness, report it confidentially. We respond quickly, fix it, and never publish your report without consulting you. We value responsible reporters and do not give well-intentioned research a hard time.
Email us at security@mijnevent.nlSell tickets on a platform that takes security seriously
Start for free and leave security to us — from login link to check-in at the door.