Event Store Security
Version Date: April 19, 2022Download/Print this document
We take security at Event Store very seriously and have gathered all security content onto this page for easy reference. Please refer to the table of contents to guide you to the required information:
Table of contents
- EU GDPR and GDPR rights
- AICPA SOC 2 Type 1
- ISO 27001:2013
- Cloud providers compliance
- European Banking Authority (EBA)
2. EU GDPR and GDPR rights
Event Store is a UK entity that complies with the UK Data Protection Act 2018 (DPA) regarding the management of our employees' and customers' personal data.
If you use our Event Store Cloud, you agree with our Data Processing Addendum (DPA).
Please remember that it is your responsibility to handle the personal data that you store in your EventStoreDB according to the GDPR or any other personal data regulation.
To make your GDPR compliance easier, you can choose a country within Europe where your servers are deployed in our cloud providers' portfolio.
The rights afforded by GDPR are as follows:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
Event Store hosts personal data under these two scenarios:
- You are an Event Store end user who has provided us with your contact details (reaching us in any of our web forms, registering for our newsletter, signing into our forum, etc.). You can exercise your rights by reaching out to firstname.lastname@example.org.
- You have provided your personal data to an Event Store customer who has stored it in an EventStoreDB hosted in Event Store Cloud. You will have to contact that Event Store customer to exercise your rights, as Event Store has no access to that data.
If you have shared personal data in our GitHub repositories, then please contact GitHub.If you want to opt out from our newsletter, click on the Unsubscribe link at the bottom of such emails. If you want to configure your preferences regarding other emails we may send you as a customer, please follow this link.
3. AICPA SOC 2 Type 1
Event Store Cloud has passed its annual SOC 2 Type 1 audit by an independent third-party auditor. Our report is available for customer review under NDA. If interested in the report, please contact us.
In 2022 we are planning to pass the SOC 2 Type 2 audit.
4. ISO 27001:2013
Event Store Cloud is ISO 27001:2013 certified.
5. Cloud providers' compliance
The cloud providers that we offer to deploy your EventStoreDB are GDPR compliant, ISO 27001 certified, and SOC 2 audited. You can find more information on their websites:
6. European Banking Authority (EBA)
Event Store is not under the direct supervision of EBA. However, we are committed to helping regulated customers meet their regulatory objectives.
If your business needs to comply with the Outsourcing Guidelines passed by the European Banking Authority (EBA) and Event Store Cloud is considered critical or important, we've got you covered. Please contact us to arrange an EBA Outsourcing Guidelines Addendum.
Event Store Cloud applies multiple strategies to reduce potential downtime:
- We use first-class cloud providers.
- You can choose to use a three-node multi-zone cluster to avoid disruptions that could affect one server or an entire zone.
You can check Event Store Cloud uptime here. You can find more information about our Service Level Agreement (SLA) here. To reduce latency, you can choose a country closer to your location from our cloud providers' portfolio.
Event Store Cloud servers are encrypted at rest. Provider block level volume encryption is utilized via each cloud provider’s block storage implementation. Each encryption key is unique to each Event Store Cloud organization, and is managed within that cloud’s native key manager.
Your Event Store Cloud servers are not accessible from the Internet. To access them, you have to establish a peering link between Event Store Cloud network and your own virtual private cloud (VPC).
Internal service traffic via GRPC is not encrypted and is sandboxed within a private network zone. External and management traffic is encrypted in transit via TLS 1.3.
You can find a detailed list of our security controls in our Data Processing Addendum.
Vulnerability Assessments and Penetration Tests: We conduct quarterly vulnerability assessments and annual penetration tests to verify that no vulnerabilities were left in our code. We also conduct them after relevant changes in our code.
You can report a vulnerability by reaching out to email@example.com.