As a hosted solution, Ticketsolve understands the importance of addressing our customers' concerns about hosting, security, and compliance. With this in mind, we have created this comprehensive guide to answer the most frequently asked questions related to these crucial aspects of our service. Our goal is to provide you with full transparency and insight into how we safeguard your data and maintain the reliability of our platform. Upon completing this article, you will have gained a thorough understanding of the hosting infrastructure, data security practices, and regulatory compliance that underpin Ticketsolve's commitment to delivering exceptional service to our customers.

Who do you use as your hosting provider?

Ticketsolve utilises Amazon Web Services (AWS) as our hosting provider, ensuring that all customer and company data is securely stored in the cloud. Our data is specifically hosted in AWS' Dublin Data Centre, which is fully compliant with all Data Protection legislation.

As a company, we place significant emphasis on security and PCI compliance to guarantee the protection of all data against external threats. AWS is certified to the ISO27001:2015 standard for its enterprise-grade shared private cloud environment and managed services offering. This certification demonstrates AWS' commitment to maintaining the highest level of security and data protection.

Moreover, AWS is the largest hosting service provider globally, trusted by numerous leading organisations, including Netflix, Vodafone, and Comcast, among others. This widespread adoption is a testament to AWS' reliability and performance, providing you with the assurance that your data is in safe hands when hosted by Ticketsolve.

For more information, please take a look at our help articles on our cloud security principles and PCI compliance. 

What mechanisms do you have around data security?

Ticketsolve employs multiple layers of data security mechanisms to safeguard sensitive customer and payment information. To start with, we utilise secure Transport Layer Security (TLS) channels to transmit data, ensuring high levels of security and protection during data transfers.

Furthermore, the data within the AWS data centre is managed and protected by a robust set of security measures. These include 24/7/365 manned security, ensuring that the facility remains secure at all times. Additionally, CCTV cameras operate throughout the entire building, closely monitoring all areas for any potential security breaches.

To maintain the integrity of the data centre, all non-AWS personnel are continuously escorted while on the premises, and strict operational procedures are in place to minimise the risk of unauthorised access. These comprehensive security measures, in combination with AWS' industry-leading infrastructure, guarantee the highest level of protection for your data when hosted by Ticketsolve.

Are you PCI Compliant?

Yes, Ticketsolve is fully PCI compliant. We prioritise the security of payment card information and adhere to the highest industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS). Our platform undergoes an annual audit by an independent PCI consultant to ensure that we maintain the strictest security measures for processing payment card information. Ticketsolve's valid PCI DSS compliance certificate attests to our commitment to safeguarding your financial data.

For more information on our PCI compliance and to download our latest certification, please read our PCI DSS help article. 

What are your backup and disaster recovery mechanisms?

Ticketsolve offers a comprehensive disaster recovery plan as an integral part of our managed service. In the event of a catastrophic service interruption, we would swiftly transition the application to the Amazon Elastic Compute Cloud (Amazon EC2) platform, a web service providing scalable compute capacity in the cloud. This capability enables Ticketsolve to promptly restore the most recent database backup and resume operations on a new platform within hours of a disaster. We regularly conduct tests to ensure a smooth disaster recovery execution, with our current estimated restoration time ranging from 60 to 120 minutes upon initiation.

Do you have any monitoring and resolution strategies?

Ticketsolve employs round-the-clock, automated monitoring systems to ensure that the platform is functioning optimally and efficiently. These systems actively oversee all aspects of the platform, automatically sending email and text alerts when issues arise. Our clustered infrastructure design eliminates any single point of failure.

In the event of a routine system failure, clients can manage automated recovery processes. When application server issues occur, they are automatically removed from the server list and alerts are generated. For database-related problems, an alert is likewise produced. Should a severe issue affect the main database, we can quickly switch to the warm backup within minutes to maintain uninterrupted service.

Is Ticketsolve GDPR compliant?

Ticketsolve is fully GDPR compliant and we recognize the significance of data privacy and security for our customers, and we are fully committed to complying with the General Data Protection Regulation (GDPR). This legal framework is designed to safeguard the personal data of individuals in the UK and European Union (EU). We have implemented various measures to ensure that our platform adheres to GDPR requirements, prioritising the protection of personal data for all our users.

For more information on our GDPR compliance, please read the GDPR help article. 

Are there cooperation procedures in place between controllers, suppliers, and other partners to deal with data breaches?

Yes, Ticketsolve has established cooperation procedures between controllers, suppliers, and other partners to address data breaches effectively. These procedures are outlined in the Data Processing Addendum as part of the contract. Specifically, point 7 details the Personal Data Breach process:

Upon becoming aware of or reasonably suspecting a Personal Data Breach, the Data Processor must notify the Data Controller without undue delay, ideally within 72 hours. The notification should include:

1. A description of the Personal Data Breach, specifying the categories and numbers of Data Subjects and Personal Data records affected.
2. The name and contact details of the Data Processor's data protection officer or another relevant contact.
3. The likely consequences of the Personal Data Breach.
4. The measures taken or proposed to address the Personal Data Breach.

The Data Processor must cooperate with the Data Controller and follow their directives to investigate, mitigate, and remediate each Personal Data Breach. In case of a Personal Data Breach, the Data Processor must not inform any third party without the Data Controller's prior written consent, unless required by EU or Member State law. If such a legal requirement exists, the Data Processor must inform the Data Controller, provide a copy of the proposed notification, and consider any comments made by the Data Controller before notifying the Personal Data Breach.

Is personal data transferred outside the EEA?

No, Ticketsolve does not transfer personal data outside the EEA. The platform is hosted on Amazon Web Services (AWS), and all of Ticketsolve's data is stored within the AWS data centre in Dublin, Ireland.

On February 19th 2023, the European Commission adopted two adequacy decisions for the United Kingdom—one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. These decisions allow personal data to flow freely from the European Union to the United Kingdom, ensuring that it benefits from an essentially equivalent level of protection as guaranteed under EU law. These adequacy decisions also facilitate the proper implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information for various purposes, such as cooperation on judicial matters.

Both adequacy decisions include strong safeguards in case of future divergence, such as a 'sunset clause,' which limits the duration of adequacy to four years. During this period, UK businesses and public authorities can continue to receive data from the EU, ensuring compliance with data protection regulations.

Do you operate a regular audit review process?

Yes, Ticketsolve operates a regular audit review process to maintain the highest security standards and ensure compliance with industry regulations. This process consists of two main components:

1. Annual Penetration Testing: Ticketsolve engages a third-party company to conduct annual penetration tests on our system. This involves probing and testing the platform for potential security vulnerabilities. Upon completion of the testing, the results are documented and shared with the Ticketsolve development team. Any necessary actions are then taken to address identified vulnerabilities and ensure the system remains fully compliant and secure.
2. Annual PCI Compliance Review: Ticketsolve also undergoes an annual review of its PCI compliance, carried out by a third-party company. This review process ensures that Ticketsolve adheres to strict protocols and guidelines outlined by the Payment Card Industry Data Security Standard (PCI DSS).

Do you undertake and record prior diligence of service providers?

Yes, Ticketsolve is committed to conducting thorough due diligence of all third-party service providers prior to engagement. We carefully assess each potential partner, taking into account their reputation, expertise, and track record. As part of this process, we require at least three references from other organisations that have previously used their services. This allows us to ensure that the third-party providers we collaborate with meet our high standards of quality and reliability.