GatherPro

Security

We take the security and privacy of organizer and attendee data seriously. This page summarises the technical and organisational safeguards we have in place to protect the GatherPro platform and the data entrusted to us.

Last updated: May 30, 2026

Platform Security Overview

Encryption in Transit

All data transmitted between your browser and GatherPro is encrypted using HTTPS with TLS 1.2 or higher. Unencrypted HTTP connections are automatically redirected to HTTPS.

Authentication

Passwords are hashed using bcrypt with a high cost factor — raw passwords are never stored. Organizer accounts support email verification and optional two-factor authentication (2FA) via authenticator app.

Tenant Isolation

Each organizer tenant operates on a dedicated subdomain with strict data scoping. Database queries are automatically scoped to the requesting tenant, preventing cross-tenant data access.

Payment Security

Payment card data is handled exclusively by Stripe, Inc. under their PCI DSS Level 1 compliance programme. GatherPro never stores, transmits, or has access to raw card numbers.

Infrastructure & Availability

GatherPro is hosted on managed cloud infrastructure with redundant networking and automated failover. We monitor system health continuously and publish incidents at /status.

Data Backups

Database backups are performed daily and retained for a minimum of 14 days. Backups are encrypted and stored in a separate geographic location to protect against data loss.

Access Controls

Access to GatherPro's production systems is limited to authorised personnel only and is enforced through:

  • Role-based permissions within the organizer portal (owner, admin, staff roles)
  • Superadmin panel accessible only to internal Solution Forest Ltd. staff
  • SSH key authentication required for server access — password login is disabled
  • All administrative access is logged and auditable

Data Practices

We minimise data collection and apply the principle of least privilege throughout the platform:

  • Only data strictly necessary to operate the Service is collected
  • Database fields containing sensitive values are encrypted at rest where appropriate
  • Attendee data is scoped to the tenant and is not visible to other tenants or Solution Forest staff except for support purposes
  • Soft deletion and audit trails are used for sensitive records

For details on data retention, your rights, and how to request deletion, see our Privacy Policy.

Responsible Disclosure

Security Vulnerability Reporting

If you discover a security vulnerability in the GatherPro platform, please report it responsibly to our security team. We ask that you:

  • Email details to [email protected]
  • Include a clear description of the vulnerability and steps to reproduce
  • Allow us reasonable time (up to 90 days) to investigate and remediate before public disclosure
  • Avoid accessing, modifying, or deleting data that does not belong to you
  • Do not conduct automated scanning or denial-of-service testing against production

We will acknowledge valid reports within 5 business days and aim to provide an initial assessment within 10 business days. We do not offer a bug bounty programme at this time, but we genuinely appreciate responsible security research.

What We Do Not Claim

In the interest of transparency, we want to be honest about our current security posture:

  • GatherPro has not undergone independent third-party penetration testing at the time of this writing. We plan to commission one as the platform scales.
  • We do not hold ISO 27001, SOC 2, or other formal certifications. Our security practices are designed to align with these frameworks.
  • Payment card security is fully delegated to Stripe — their PCI compliance covers the payment flow, not GatherPro itself.

Questions

For general security enquiries (not vulnerability reports) please contact us at [email protected].