Security Policy

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Article 32 of the GDPR and commercially reasonable security standards.

Technical Measures

• Encryption in Transit: All web traffic and API communications are encrypted using TLS/HTTPS. Connections without encryption are not accepted.
• Encryption at Rest: Data stored in databases and object storage is encrypted at rest. Database volumes use disk-level encryption, and our object storage provider encrypts stored objects at rest. Sensitive application data, such as authentication tokens, is additionally encrypted at the application level using AES-256 encryption.
• Access Controls: Access to production data and systems is restricted to the sole operator. No other individuals, including community support staff, have access to user data, server data, credentials, or production systems.
• Database Security: Databases are secured with authentication, network isolation, and firewall rules. Direct public access to databases is not permitted.
• Image and Attachment Storage: Stored images and attachments are protected by access controls. Storage buckets are not publicly accessible. Access is granted only through authenticated, authorized requests.
• Infrastructure Security: Server infrastructure is regularly updated and patched. Security updates are applied promptly to address known vulnerabilities.
• Bot Token Security: Discord bot tokens and API credentials are stored securely and are never exposed in client-side code or public repositories.
• Authentication Security: User authorization tokens are never stored. Only cryptographic hashes are held temporarily in memory for session verification purposes.
• Secure Development Practices: Security considerations are integrated into the development process, with attention to identifying and addressing potential vulnerabilities before deployment.

Organizational Measures

• Access to personal data and production systems is restricted exclusively to the sole operator of the Service. No other individuals have access.
• Community support staff, moderators, and other team members do not have access to any user data, server data, or system credentials.
• Security practices and access controls are reviewed periodically.

Infrastructure

• Our hosting infrastructure is provided by established cloud providers that maintain industry-standard security certifications, including ISO 27001 compliance. Our CDN and security provider maintains SOC 2 Type II, ISO 27001, and PCI DSS certifications.
• Our primary hosting infrastructure is located in the United States, with content delivery and security services operating globally.
• Servers are located in secure data center facilities with physical access controls, redundant power, and environmental protections.
• Data backups are performed daily and retained on a 30-day rotation cycle. Backups are purged automatically at the end of each rotation.

Ticket King maintains incident response procedures to detect, contain, and remediate security incidents. In the event of a personal data breach:

• We will identify and contain the incident as quickly as possible.
• We will notify affected server administrators (data controllers) without undue delay, and no later than 72 hours after becoming aware of a breach, in accordance with our Data Processing Agreement.
• Where the breach involves data obtained through Discord's API, we will notify Discord immediately in accordance with Discord's Developer Terms of Service, in addition to notifying affected Controllers.
• We will provide details about the nature of the breach, the data affected, the likely consequences, and the measures taken to address it.
• We will cooperate with affected parties and, where applicable, supervisory authorities in investigating and resolving the incident.
• We will document the incident and conduct a post-incident review to identify and implement improvements to prevent recurrence.

Ticket King takes the safety of its users seriously. If you encounter content within the Service that you believe to be illegal, harmful, or in violation of our Terms of Service, you may report it by contacting us at [email protected] with the subject line "Content Report."

In compliance with United States federal law (18 U.S.C. § 2258A), if we become aware of any apparent child sexual abuse material (CSAM) on our platform, we will immediately report it to the National Center for Missing & Exploited Children (NCMEC) via their CyberTipline and cooperate with law enforcement as required. Such content will be removed immediately upon discovery.

We review all content reports and take appropriate action, which may include removing the content, suspending access to the Service, and/or reporting to appropriate authorities.

We take the security of our software seriously. If you believe you have found a security vulnerability in Ticket King, Ticket King's Website, or related services, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

Send an email to [email protected] with the following information:

• Description of the vulnerability
• The version(s) affected (if applicable)
• Any potential impacts of the vulnerability
• Steps to reproduce/verify the vulnerability

Important: After reporting a vulnerability, please do not make your findings public until we have had a chance to address the issue. We appreciate your understanding and cooperation in responsibly investigating and fixing reported vulnerabilities.

Scope of Authorized Testing

Security testing is authorized only against your own Discord server where you are the administrator, and against the public-facing website and APIs at ticketking.xyz. The following activities are expressly prohibited and do not constitute authorized security research:

• Accessing, modifying, or exfiltrating data belonging to other users or servers
• Denial-of-service (DoS/DDoS) attacks or any form of volumetric or resource exhaustion testing
• Automated vulnerability scanning at volume against production systems
• Attempting to access internal infrastructure, administrative interfaces, or non-public systems
• Exploiting a vulnerability beyond the minimum necessary to demonstrate its existence
• Social engineering, phishing, or any attack targeting individuals rather than systems
• Any testing that degrades or disrupts the Service for other users

Unauthorized testing may result in immediate restriction of access to the Service and may be reported to relevant authorities. Ticket King reserves the right to determine, in its sole discretion, whether any testing activity falls within the scope of authorized research.

No system is completely secure. While Ticket King implements reasonable security measures as described in this policy and our Terms of Service, we do not warrant or guarantee that our systems are immune to all security vulnerabilities, attacks, or breaches. The security measures described in this policy represent commercially reasonable efforts and are not a guarantee of absolute security.

To the fullest extent permitted by applicable law, Ticket King shall not be liable for any direct, indirect, incidental, special, consequential, or punitive damages arising out of or related to any security vulnerability, breach, or exploitation thereof, including but not limited to loss of data, loss of revenue, business interruption, unauthorized access to personal data, or any failure of the security measures described herein. You acknowledge that you use the Service at your own risk and that Ticket King's security obligations are limited to implementing the commercially reasonable measures described in this policy.

Ticket King's aggregate liability for any claims related to security vulnerabilities or breaches shall be subject to the limitation of liability set forth in Section 18 of our Terms of Service. This limitation applies regardless of the theory of liability, including contract, tort (including negligence), strict liability, or any other legal theory.

The limitations in this section shall not apply to: (a) liability arising from fraud or fraudulent misrepresentation; (b) liability for death or personal injury caused by negligence; or (c) any liability that cannot be excluded or limited under applicable mandatory law.

After submitting a vulnerability report, here's what you can expect:

• Acknowledgment: We will acknowledge receipt of your report within 24 hours.
• Communication: We will maintain open communication with you to discuss the vulnerability.
• Resolution & Disclosure: We aim to resolve any verified vulnerabilities within 60 days and will coordinate with you regarding the timing and manner of any public disclosure.

We appreciate the efforts of security researchers who help keep our platform secure. Depending on the severity and impact of a responsibly disclosed vulnerability, we may offer recognition or rewards on a case-by-case basis, which could include premium features, financial compensation, or other forms of acknowledgment. If you believe your contribution warrants recognition, please let us know and we will be happy to discuss it.