Is Quick Event GDPR compliant?

Yes, Quick Event has been 100% GDPR compliant since day one: • Privacy by Design: Data protection is integrated into the architecture • EU data processing: All data remains exclusively in German/EU data centers. • Data processing agreements: Clear data processing agreements available • Data subject rights: Full implementation of all GDPR rights • Automatic deletion: Configurable retention periods Certified compliance with continuous security audits.

Where is my data stored?

100% EU data processing guaranteed: Primary location: Frankfurt am Main, Germany (NEON Database) Secondary locations: Amsterdam, Paris, Munich, Madrid CDN/Edge: Cloudflare's European edge servers No data transfer outside the EU. Your data never leaves the European legal area. Compliance: With both German and EU-wide data protection legislation.

How secure is the data transfer?

Enterprise-grade encryption at all levels: • TLS 1.3: Latest encryption standard for all connections • End-to-end encryption: Encryption of all API calls and data transfers • AES-256: Encryption at rest in the database • Automatic SSL: Certificates for all custom domains Cloudflare Enterprise infrastructure with DDoS protection and WAF (Web Application Firewall).

What security certifications does Quick Event have?

Enterprise security through certified partners: Cloudflare Enterprise: • SOC 2 Type II certified • ISO 27001 certified • PCI DSS Level 1 compliant Infrastructure certifications: • NEON Database: ISO 27001, SOC 2 • SendGrid: SOC 2, GDPR compliant • Stripe: PCI DSS Level 1 99.99% uptime SLA with enterprise support available.

How does access control work?

Granular permission management: Role-based: • User role: Access only to own events • Admin role: Full access to the organization • Custom roles: Individual permission sets Security features: • 2FA required for admin accounts • Session management with automatic timeout • OAuth integration (Google, Microsoft, GitHub) • Audit logs for all authorization changes The Principle of Least Privilege is implemented throughout.

What happens in the event of a security incident?

Professional incident response plan: Immediate measures: • Automatic threat detection through Cloudflare AI • Real-time alerts to the security team • Immediate isolation of affected systems Communication: • Within 24 hours: Informing affected customers • Within 72 hours: Report data breaches to the authorities • Full transparency regarding the incident and measures taken Prevention: Continuous security monitoring and updates.

How will my data be deleted?

Automated data deletion in accordance with GDPR: Configurable deadlines: • Event data: Standard 2 years, customizable • Participant data: By event or individually • Audit logs: 7 years for compliance Deletion procedure: • Automatic deletion after the deadlines have expired • Manual deletion possible at any time upon request • Secure deletion from all systems and backups The right to be forgotten is fully implemented.

Security & Data Protection

When you manage event data— attendance lists , contact information, payment details—security isn't an option, it's a requirement. Quick Event was designed from the ground up with data protection and enterprise security in mind: full GDPR compliance, exclusively EU data processing, and end-to-end encryption at all levels.

Quick Event has been GDPR-compliant from day one — not retrofitted, but developed according to the principle of Privacy by Design . Data protection is integrated into the architecture, not added as a feature.

Specifically, this means: We provide a complete data processing agreement (DPA) that meets all requirements of Article 28 GDPR. The DPA clearly defines which data is processed, for what purpose, and with which technical and organizational measures it is protected.

All data subject rights are fully implemented: right of access, right to rectification, right to erasure, right to data portability, and right to object. Participants can view, correct, or delete their data at any time—directly via the platform or by requesting it from the organizer.

Furthermore, Quick Event offers configurable retention periods with automatic deletion. After the defined period expires, personal data is automatically and completely removed from all systems—without manual intervention.

EU data processing

All data is processed and stored exclusively within the European Union. No data is transferred to third countries – neither for the database, nor for edge computing or backups.

The primary location is Frankfurt am Main, Germany. This is where the NEON database, which stores all event, participant, and organizational data, runs. Secondary locations in Amsterdam and Paris serve as backups and for edge caching via the Cloudflare network. Other European locations, such as Munich and Madrid, are used for content delivery.

The entire infrastructure is subject to German and EU data protection law . German jurisdiction applies to all data processing operations. For event organizers, this means maximum legal certainty without complicated third-country transfer assessments.

Encryption

Quick Event uses multi-layered encryption that protects both data during transmission and stored data.

Encryption during transmission

All connections use TLS 1.3 , the latest encryption standard. This applies to communication between browser and server, between internal services, and to all API calls. Older, insecure TLS versions are not supported.

Encryption at rest

All data stored in the database is encrypted with AES-256 — the same standard used by banks and government agencies. This includes participant data, booking information , email content , and files uploaded to Cloudflare R2.

Automatic SSL certificates

If you use your own domain for your event pages, Quick Event automatically provides an SSL certificate—no manual intervention, no additional costs. The certificates are renewed automatically, ensuring your attendees always have an encrypted connection.

Access control

Quick Event's permission system follows the principle of least privilege : Each user receives only the rights they need for their task. No more, no less.

Role-based authorization system

Quick Event offers three permission levels. The User role restricts access to one's own events—ideal for project team members who only manage their own events. The Admin role grants full access to all events and settings of the organization, including team management and billing. Additionally, custom roles with individual permission sets can be created to provide the precise level of access needed.

Authentication and session management

Two-factor authentication (2FA) is available for administrator accounts to prevent unauthorized access even with compromised passwords. Sessions are automatically terminated after a configurable period of inactivity. Alternatively, users can log in via OAuth with their existing Google, Microsoft, or GitHub account—without having to manage an additional password.

All permission changes are recorded in audit logs , so that it remains traceable who gained or lost which access rights and when.

Partner certifications

Quick Event relies on proven infrastructure partners who meet even the highest security standards. Every component of the platform is operated by a provider that is independently audited and certified.

Cloudflare

As a platform for edge computing, DDoS protection, and content delivery, Cloudflare is certified to SOC 2 Type II , ISO 27001 , and PCI DSS Level 1. Its Web Application Firewall (WAF) protects against the OWASP Top 10 threats, and its global network offers 99.99% availability.

NEON Database

The PostgreSQL database runs at NEON, certified according to ISO 27001 and SOC 2. The EU location in Frankfurt guarantees that database queries and storage take place entirely under EU law.

Stripe

For payment processing, Quick Event uses Stripe — certified to PCI DSS Level 1 , the highest security standard in the payment card industry. Credit card data is never stored on Quick Event servers, but is processed exclusively by Stripe.

SendGrid

Emails are sent via SendGrid, which is SOC 2 certified and fully GDPR compliant. All email servers are located in the EU, and transport encryption via TLS is standard for every outgoing message.

Incident Response

Should a security incident occur despite all protective measures, a defined incident response plan with clear responsibilities and deadlines will be activated.

Cloudflare AI's automated threat detection identifies anomalies in real time. Upon a confirmed incident, the affected system is immediately isolated to prevent further spread. Simultaneously, real-time alerts are sent to the security team.

Communication follows fixed timeframes: Affected customers are informed within 24 hours . In the event of a data breach as defined by the GDPR, the authorities are notified within 72 hours , as legally required. Transparency is a top priority – affected parties receive complete information about the incident, the measures taken, and the steps to prevent future incidents.

Data deletion and retention periods

Quick Event gives event organizers full control over how long personal data is stored. Retention periods are configurable per event and are automatically enforced.

By default , event data is retained for two years after the event—this period can be shortened or extended as needed. Participant data can be deleted either after the event or after a user-defined period. Audit logs are retained for seven years to comply with legal requirements.

Deletion occurs automatically after the retention period expires—without manual intervention. Manual deletion is also possible at any time upon request , for example, if a participant invokes their right to be forgotten. In this case, the data is completely and irrevocably removed from all systems and backups.