RSVPify's Privacy & Security Practices

Your guest list is yours. Full stop.

RSVPify is the privacy-first leader in event management, built for high-profile, invite-only events and large-scale programs alike — wherever guest privacy matters. We don’t sell or rent your guest list.

Book a Demo Talk to our team

OUR DATA PRINCIPLES

✓Not sold to third parties
✓Not shared for marketing
✓Not used to train AI

Independently verified & compliant

SOC 2 Type II GDPR CCPA

Trusted by over a million event creators

Jump toHow we compare ↓Security overview ↓Security controls ↓Technical FAQ ↓

Your attendees trust you with their data. We won't monetize it.

RSVPify is one of the few event platforms that doesn’t profit from your guest data.

RSVPify vs. typical event platforms

Privacy and security shouldn’t live in the fine print. Here’s how RSVPify handles your data and your guests’ data, and how it protects it, compared with how many event and ticketing platforms operate.

With RSVPify

✓You own your data; we act only as your processor
✓SOC 2 Type II, encrypted in transit and at rest
✓Role-based access controls and continuous monitoring
✓Not sold, shared, or used to train AI
✓Export your data anytime, with no lock-in

Typical event platforms

✗Broad rights claimed over your attendee data
✗Security and compliance details often undisclosed
✗Guest data shared with marketing partners
✗Attendees mined for ad revenue, marketed to nonstop
✗Data lock-in and limited export

Built for events where discretion isn't optional.

Galas. Product launches. Activations. Milestones. Invite-only gatherings. When your guest list includes VIPs, executives, donors, or names that must stay confidential, RSVPify is built for teams that can’t compromise on privacy.

50%

of the Fortune 500

trust RSVPify

30M+

hosts & attendees

served worldwide

180

countries

where we power events

13+

years

protecting guest lists

Accessibility is part of how we build. We maintain a current Accessibility Conformance Report (VPAT) and design our guest-facing experiences with WCAG accessibility guidelines in mind.

Security layered into every step of your event operations.

Strong, layered protection runs through everything we build, helping keep your events and your guests’ data secure.

Encryption in transit and at rest

Data is encrypted in transit and at rest using industry-standard AES-256 and TLS.

SOC 2 Type II

Independently audited and continuously monitored for compliance, year-round.

Hardened infrastructure

Hosted on secure, US-based cloud infrastructure with isolation and automated backups.

Granular access control

Role-based permissions, SSO/SAML, and least-privilege access keep data locked down.

Tested by experts

Regular third-party penetration testing and continuous vulnerability management.

Resilient & recoverable

Disaster recovery and redundant backups keep your events available when it counts.

Our security controls, by domain.

Dozens of security controls run around the clock, continuously monitored and backed by independent audits. Here’s a sample of what’s in place.

App Security

Annual Penetration TestCode Review ProcessQuarterly Vulnerability ScanVulnerability ManagementWeb Application FirewallSecure SDLC

Data Security

Encryption at RestSSL/TLS EnforcedKey Management (AWS KMS)Daily Database BackupsData Retention & DestructionAccess ControlSecurity Policies

Infrastructure Security

Restricted Cloud StorageMultiple Availability ZonesAutomatic Security PatchingPassword Policy

Network Security

FirewallsMalware DetectionLogging & MonitoringNo Public SSHUnique Accounts

Organization Security

SOC 2 Type IIBCDR PlanDisaster Recovery PlanIncident Response PlanIncident Response TeamEmployee Background ChecksVendor ReviewsPeriodic Security Training

Product Security

Multi-Factor AuthenticationSSO / SAMLHard-Disk EncryptionSession Lock

The technical details, on the record.

The questions that come up most in security and procurement reviews, with the specifics your team needs.

Who owns the data?

You do. RSVPify acts only as your data processor; your guest data isn't ours to use.

Can we get our data out?

Anytime. Export your events, guests, and responses whenever you like, with no lock-in.

Do you sell or share our guests' personal data?

No. RSVPify doesn't sell your data or your guests' personal data, and we don't share it for advertising or marketing. We act only as your data processor, and privacy is built into the product from the start (privacy by design).

How is our data encrypted?

Data is encrypted with AES-256 at rest and TLS 1.2+ in transit. Encryption keys are managed in AWS KMS.

Where is our data hosted?

On Amazon Web Services in the United States (US-East regions), with encrypted backups held in-region and offsite. We follow applicable data-residency laws.

Are you SOC 2 certified?

Yes. SOC 2 Type II, audited annually with continuous compliance monitoring. The current report is available under a mutual NDA.

Can we complete a security review or vendor assessment?

Yes. We regularly complete security and procurement questionnaires, and our SOC 2 Type II report is available under a mutual NDA. We also run an internal penetration-testing program, with leadership involved in the reviews, and can provide audit logs where required (coordinated through [email protected]).

Who are your sub-processors?

A short list of vetted providers, each reviewed for SOC 2 / ISO 27001 (or equivalent) before engagement and re-reviewed annually. The current list is published at rsvpify.com/subprocessors.

Where can I find your privacy policy?

Our full privacy policy is published at rsvpify.com/privacy/. It covers what data we collect, how we use and protect it, and the rights you and your guests have. For data processing terms, see our Data Processing Agreement (DPA) at rsvpify.com/tos/dpa/, and the current sub-processor list at rsvpify.com/subprocessors.

How is access to data controlled?

Role-based, least-privilege access with SSO/SAML support. A limited set of authorized staff have role-restricted access for support and engineering, with same-day deprovisioning when someone leaves.

Do you support SSO and SAML?

Yes. RSVPify supports SAML 2.0 single sign-on, natively integrated with Microsoft Azure AD, Okta, Google Workspace SAML, and Shibboleth, and SSO-only access can be enforced account-wide. For users not on SSO, TOTP-based multi-factor authentication is available on any plan.

Have you had a security or data breach?

No reportable personal data breach in the past three years. If an incident ever occurs, our incident response plan includes a privacy reviewer and a post-incident review, and we're contractually committed to applicable federal, state, and foreign breach-notification laws. We also maintain cybersecurity insurance.

How is data retained and destroyed?

Retention follows your event lifecycle and contract terms. Destruction follows NIST SP 800-88 guidance, including cryptographic erasure of sensitive volumes.

How are payments handled?

All payments are processed by Stripe, a PCI DSS Level 1 provider. RSVPify does not store cardholder data.

Do you use our data to train AI?

No. We don't use customer or guest personal data to train AI. RSVPify Cue AI, our built-in assistant, runs on Cloudflare's AI infrastructure with securely hosted models, so your data stays within a protected environment and isn't used to train the underlying models. Beyond that, the only time your data reaches an AI is when you choose to connect it yourself (for example, via our MCP interface) for your own use.

How do you support GDPR and CCPA?

A Data Processing Agreement with Standard Contractual Clauses is available, and we are Data Privacy Framework certified. We honor CCPA/CPRA and support data subject access requests.

Need our audit reports, policies, and full security documentation?

Request Trust Center access