Safety & Security

Passwords are hashed using bcrypt with a high work factor and are never stored in plain text or reversible form.

Two-factor authentication (2FA) is available via authenticator apps (TOTP). We strongly recommend enabling this on all accounts.

Suspicious login attempts — including logins from new devices, locations, or at unusual hours — trigger automatic security alerts. You can review all active sessions and revoke access from any device in your account settings.

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and reject insecure connections.

Data stored on our servers — including your attendee lists, email contacts, and campaign data — is encrypted at rest using AES-256.

Database backups are encrypted and stored separately with strict access controls.

The Ticksit platform runs on AWS infrastructure in the Africa (Cape Town) region (af-south-1). We apply the principle of least privilege: each team member can only access the systems and data necessary for their specific role.

We conduct regular vulnerability assessments and annual penetration tests. Security patches are applied on a priority basis — critical vulnerabilities within 24 hours, high severity within 7 days.

Our infrastructure is monitored 24/7 using automated anomaly detection. All access to production systems is logged and auditable.

Ticksit does not store, process, or transmit credit card or banking account details on our servers. All payment processing is delegated to PCI DSS Level 1-compliant payment providers: PayFast and Peach Payments.

During checkout, your payment details are entered directly on our provider's secure hosted pages. Ticksit only receives a tokenised confirmation that the transaction was successful.

If you discover a security vulnerability in the Ticksit platform, we ask that you report it to us responsibly before disclosing it publicly.

Email your findings to security@ticksit.co.za with a clear description, steps to reproduce, and any supporting evidence. We commit to: acknowledging your report within 48 hours; providing regular updates on investigation progress; resolving confirmed vulnerabilities within 90 days.

We appreciate responsible researchers and will not take legal action against those who follow this disclosure process in good faith. We offer recognition and, at our discretion, monetary rewards for critical findings.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you as soon as reasonably practicable and in any case within the timeframes required by POPIA and the Information Regulator.

We maintain a documented incident response plan that includes containment, eradication, recovery, and post-incident review phases. Our information security team is on-call 24/7.

You will be informed of: the nature of the breach; what data was affected; what we are doing to address it; and any steps you should take to protect yourself.