Security, Compliance, and Enterprise Scale for Global Event Programs

Certain provides security controls, verified compliance, and privacy-first practices built into every layer of the platform. These measures enable organizations to meet enterprise requirements while delivering exceptional event experiences worldwide.

Proven, Long-Standing Compliance

This section documents the compliance and data-protection standards maintained by Certain for enterprise programs.

PCI DSS Level 1 compliance has been maintained for more than six consecutive years.
This demonstrates long-term discipline in secure payment processing and operational security.
SOC 2 Security Controls are aligned across core cloud environments, covering security, availability, and confidentiality.
These controls are embedded into day-to-day operations for smooth security reviews and continuous certification.
Enterprise-Grade Security Governance is designed to meet enterprise procurement and audit expectations.
Enterprise governance includes documented controls, repeatable processes, and clear accountability across infrastructure, product, and operations.
Privacy and Data Control by Design helps organizations meet privacy obligations while keeping control in their hands across the full data lifecycle.
You Own & Control Your Data states that event data belongs to the organization, and the organization decides what is collected, how it is used, and how long it is retained.
Data Retention & Deletion Controls provide configurable retention and deletion practices aligned with enterprise needs.
Consent & Preferences support enables consent management and user preferences to meet global privacy expectations.
Subprocessor Handling & DPAs maintain vendor governance practices and provide DPAs to support compliance and customer procurement.
Military-Grade Data Destruction Standard follows a strict approach to data destruction aligned with DoD 5220.22-M guidance.
The standard is valued by government, financial services, and regulated industries as a high-assurance measure.
Defense-in-Depth Across Infrastructure, Product, and Operations applies layered security controls across the entire platform.
The defense-in-depth approach protects data and operations at scale.
Encryption & Key Management include encryption in transit (TLS) and at rest using industry-standard methods.
Encryption also includes secure key handling aligned with enterprise best practices.
Identity & Authentication supports modern enterprise identity and authentication controls.
Identity controls enable centralized access management and consistent policies across teams.
SSO via SAML2, OAuth2, and OpenID-Connect is supported.
MFA support strengthens authentication.
Integration with enterprise identity providers is available.
Secure session management protects active sessions.
Authorization and Access Governance provide robust controls over access, visibility, and accountability.
Role-based permissions and multi-level sub-account structures ensure users see only what they need.
Predefined and custom roles support governance, auditability, and separation of duties across the organization.
Product Security follows a secure development lifecycle (SDLC) with code reviews and controlled change management.
Environment segregation and access controls are implemented.
Security and quality verification occur before releases.
Infrastructure & Network Security provides a secure cloud environment aligned with enterprise control frameworks.
Network segmentation and protection are employed.
Hardened infrastructure receives regular updates.
Monitoring & Incident Response includes continuous monitoring and alerting.
Operational security readiness and reviews are performed.
Vulnerability Management uses ongoing vulnerability scanning and remediation.
Third-party risk is addressed through responsible handling and governance practices.
The page notes that Certain is trusted by many Fortune 500 companies.

Compliance Resources and Contact

Security and compliance documentation are available upon request by emailing help@certain.com.

Encryption, Identity, and Access

Encryption & Key Management include encryption in transit (TLS) and at rest using industry-standard methods.
Secure key handling aligns with enterprise best practices.
Identity & Authentication support modern enterprise identity controls and centralized access management.
Single Sign-On (SSO) is available via SAML2, OAuth2, and OpenID-Connect.
Multi-Factor Authentication (MFA) is supported.
Enterprise identity provider integration is available.
Secure session management is implemented.
Authorization and Access Governance provide robust controls over access and visibility.
Role-based permissions and multi-level sub-account structures enforce least-privilege access.

Governance and Security Architecture

Defense-in-Depth Across Infrastructure, Product, and Operations uses layered security controls across the platform.
This architecture protects programs at scale through multiple control layers.
Enterprise-grade governance includes documented controls and repeatable processes.
Clear accountability exists across infrastructure, product, and operations.

Data Ownership and Privacy Controls

You Own & Control Your Data states that event data belongs to the organization.
Organizations decide what data is collected, how it is used, and how long it is retained.
Data Retention & Deletion Controls offer configurable retention and deletion practices.
Consent & Preferences support enables privacy management and user preference handling.

Security Operations

Monitoring & Incident Response provide continuous monitoring and alerting.
Incident response planning and escalation are in place.
Vulnerability Management includes ongoing vulnerability scanning and remediation.
Responsible handling of third-party risks is maintained.

PCI, SOC 2, and Proof of Compliance

PCI DSS Level 1 compliance has been maintained for more than six consecutive years.
SOC 2 Security Controls are embedded into daily operations for ongoing certification.
SOC 2 alignment covers security, availability, and confidentiality.

FAQs

Do you support SSO?

Certain supports SSO including SAML2, OAuth2, and OpenID-Connect. This enables centralized identity management and enterprise authentication policies.

Is Certain PCI compliant?

Certain maintains PCI DSS Level 1 compliance with six or more consecutive years of certification.

Does Certain support GDPR and CCPA compliance?

The platform supports GDPR and CCPA compliance with privacy controls including consent handling, data retention, and deletion processes.

How does Certain protect customer data?

Certain uses layered security controls including encryption in transit and at rest, strong access controls, monitoring, and disciplined operational processes.

How do I obtain your SOC 2 report, PCI documents, or DPA?

Security and compliance documentation is available upon request by emailing help@certain.com.