Card data we never touch
Card details go straight to the payment processor — they never reach Jamrats servers. That means the heavy compliance work for card data sits with the processor (the people who do that for a living), not us.
Trust
How we keep
Jamrats safe.
Jamrats is a ticketing platform, but day-to-day we’re also a custodian of buyer emails, organizer payouts, and door-scan logs. Here is how we keep all three safe — and what we ask of you in return.
Vetted vendors
The third parties we rely on (payments, authentication, email delivery, hosting) are independently audited to enterprise security standards. We pick vendors on this criterion specifically.
Encryption everywhere
Every public page uses modern HTTPS. Data at rest is encrypted by the database provider. Backups carry the same encryption.
Authentication
Sign-in is handled by a specialist provider — multi-factor authentication, session rotation, no passwords stored on our side. Buyer ticket-recovery links rotate every time a new one is requested, so old links stop working.
Production access
Production access is limited to on-call engineers, gated behind hardware-key sign-on. Access logs are kept for a year. Queries against live data are reviewed.
Found something?
Responsible disclosure
If you’ve found a vulnerability, please report it privately. We don’t have a paid bounty program yet, but we acknowledge every report within two business days and credit researchers (with permission) on this page.
hello@jamrats.comPlease don’t test against live organizer events. Use your own test account or contact us first for a staging invite.
Data residency
Primary data lives in Canada (Toronto region). UK + EU buyer data routes through Stripe’s EU infrastructure to honor UK GDPR + EU data-residency norms. Backups are geo-replicated within the originating region. We never move customer data across regions.
Incidents
If we detect a security incident affecting your account or your buyers, we’ll notify you by email within 72 hours and post an incident report at /status.