Where your data lives, and who can see it.
A short, plain-English page. The longer version, including our SOC 2 Type II report when ready, is available on request.
Hosting
VenueSync runs on AWS in us-east-1, behind a managed Postgres database (Supabase) and Vercel’s edge network. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Access
Each event has roles — venue, planner, vendor. Vendors only see what they need to see for the events they have been invited to. Row-level security is enforced at the database tier, not only at the API tier; a misconfigured client cannot leak another customer’s data.
Audit trail
Every change to a run-of-show, a vendor brief, or a floor plan is stamped with the user, the timestamp, and the previous value. We keep audit history for the lifetime of the event and 90 days beyond.
Compliance
SOC 2 Type II is in progress; the report will be available on request once the observation window closes. We are GDPR-aligned for EU data subjects and CCPA-aligned for California residents. We never sell customer data, ever.
Vulnerability disclosure
Found something? Email contact@venue-sync.com. We respond within one business day, and we do not take legal action against good-faith researchers.
Sub-processors
Supabase (database, auth, storage), Vercel (hosting, edge), Resend (transactional email), Google Cloud (OAuth identity provider, where used). A current list is available on request.