EVEN Trust Center

Security at EVEN

How we protect fans, artists, and the data they trust us with.

Last updated: 2026/07/15

SOC 2 Type II

SOC 2 Type II

GDPR

GDPR

CCPA

CCPA

Stripe PCI DSS L1

Stripe PCI DSS L1

About EVEN

EVEN is a music platform where artists sell releases, subscriptions, livestreams, and merch directly to fans. We handle payments (via Stripe), streaming media (via Mux and S3-backed CDN), messaging, and fan analytics. Security is foundational to that trust: fans share payment information, artists share unreleased music, and both expect the platform to protect them.

This page describes how we protect customer data and systems. It is maintained by EVEN’s Engineering team and reviewed quarterly.

Compliance & certifications

EVEN’s compliance posture as of 2026:

SOC 2 Type II

In progress (observation window opens 2026). Managed via Vanta; auditor engaged; policies, controls, and tests being validated.

GDPR

In effect. EU/EEA data subject rights honored; DPA available on request; sub-processor register maintained.

CCPA / CPRA + PCI DSS

CCPA / CPRA in effect. California resident data rights honored via privacy@even.biz. PCI DSS is Not applicable — SAQ A. Cardholder data never touches EVEN infrastructure; all card data flows through Stripe’s hosted checkout.

Trust materials (SOC 2 report, DPA, sub-processor list) are available under NDA — contact security@even.biz.

Infrastructure & hosting

EVEN runs on a fully cloud-native stack. There is no corporate office network, no VPN, and no on-premise hardware to attack. Every production system is provider-managed by a SOC 2-certified vendor.

Where things run

System

Provider

Region / Notes

Public frontends (fan / artist / studio apps)

Vercel (Edge Network)

Global edge, US-hosted compute

API and admin apps (Rails)

Render

Oregon (us-west)

Background workers

Render (Sidekiq)

Oregon (us-west)

Production database

PlanetScale (MySQL / Vitess)

AWS us-west-2, 3 AZs, primary + 2 replicas

Media storage & CDN

AWS S3 + CloudFront

us-east-1 primary, us-west-1 replication

Cache / job queue

Render Redis (internal-only)

Oregon (us-west)

Payments

Stripe (including Connect for payouts)

External SaaS

Streaming media

Mux (signed URLs)

External SaaS

Redundancy & availability

• Database: PlanetScale primary + 2 replicas across 3 AWS availability zones; daily automated backups.

• Media: S3 cross-region replication from us-east-1 to us-west-1.

• Application: Render and Vercel provide managed high-availability with automatic failover.

• Business continuity and disaster recovery plans are exercised annually via tabletop exercise (most recent: 2026).

Data encryption

In transit

• All external traffic is TLS 1.2+ (TLS 1.3 preferred) — provider-managed certificates at Vercel edge, CloudFront, and Render load balancers.

• Database connections use TLS with certificate verification (verify_identity mode).

• Webhook traffic (Stripe, Mux, Transloadit, Shopify) is verified via provider-issued signatures before processing.

At rest

• PlanetScale: encrypted at rest with provider-managed keys (AES-256).

• AWS S3: server-side encryption enabled on all media, log, and DDEX partner buckets.

• Render Postgres and Redis: encrypted at rest by the platform.

• Application secrets are stored as encrypted environment variables in Render and GitHub Actions (never checked into source).

Access control & identity

Access to production systems is granted on a least-privilege, business-need basis and reviewed quarterly.

Employee & contractor access

• Workforce identity is managed via JumpCloud (SSO + MDM).

• Full-disk encryption (FileVault / BitLocker) is required on every in-scope employee device.

• A company-managed password manager is required for all in-scope employees.

• Multi-factor authentication is enforced on GitHub, Render, PlanetScale, AWS, Vanta, Google Workspace, and Stripe.

Production access is gated at four independent layers

GitHub

GitHub Actions

Render

PlanetScale

Four independent layers protect production. A single individual cannot unilaterally deploy.

• GitHub — branch protection on main: mandatory pull-request review, mandatory CI green, no direct pushes, no force pushes.

• GitHub Actions — deploy workflow triggered only by merges to main; secrets scoped to protected workflows.

• Render — admin/deploy access limited to the engineering lead and one designated backup.

• PlanetScale — schema changes require an explicit deploy request review before applying to production.

Fan & artist access

• Passwordless authentication via Magic Link (short-lived tokens over TLS) — no password storage on EVEN’s side.

• Session tokens are scoped, expiring, and rotated.

• Authorization is enforced server-side via Pundit policies; every API endpoint is scoped to the acting user’s role and resource ownership.

Access reviews

• Quarterly access review across GitHub, Render, PlanetScale, and AWS by the engineering lead.

• Same-day revocation on employee/contractor offboarding across all four systems, independent of the quarterly cadence.

Secure development lifecycle (SDLC)

Every change to production code and infrastructure is authorized, documented, tested, reviewed, and approved before it ships.

01

Propose — Code changes are proposed via GitHub pull requests; a single individual cannot unilaterally deploy.

02

Review — Every PR requires at least one approving review from another engineer before merge.

03

Test — Every PR must pass automated CI: RSpec (both API and admin apps), RuboCop static analysis, and dedicated security checks.

04

Approve — Every schema change requires a separate PlanetScale deploy-request approval on top of the code PR review.

05

Deploy — Merges to main automatically trigger production deploys via a signed GitHub Actions workflow.

06

Monitor — Security-relevant dependency bumps are triaged and merged with the same review + CI gates as feature work.

Database schema changes

• Schema migrations are additive-only and backward-compatible with running code (verified against PlanetScale’s declarative deploy-request model).

• Every schema change requires a separate PlanetScale deploy-request approval on top of the code PR review.

• Rollback procedures are documented per service; databases are point-in-time recoverable via provider backups.

Emergency changes

• Emergency-fix carve-out exists for P0 incidents (documented in the Secure Development Policy). Emergency PRs are still tested, are logged, and receive a mandatory follow-up review within one business day.

Dependencies & supply chain

• Ruby and JavaScript dependencies are pinned via lockfiles and monitored for advisories via Dependabot / GitHub Advisory Database.

• Security-relevant dependency bumps are triaged and merged with the same review + CI gates as feature work.

• Container base images are pulled from official language registries; builds are reproducible.

Network & application security

Perimeter & DDoS mitigation

• Vercel Firewall is active on production frontends with Bot Protection, AI-bot blocking, and managed DDoS mitigation.

• CloudFront provides edge-level DDoS defense on media distributions.

• Only three surfaces accept inbound traffic — Vercel edge (frontends), Render ingress (API/admin), and CloudFront (media). Databases, cache, and workers have no public ingress.

Application security

• Cross-Site Scripting (XSS) protections via Rails’ default output escaping and Content Security Policy headers.

• Cross-Site Request Forgery (CSRF) protection on state-changing endpoints.

• SQL injection prevented via parameterized queries throughout (ActiveRecord).

• Sensitive fields (payment tokens, session tokens) are masked in logs and Sentry error reports.

• Rate limiting and abuse detection on authentication and payment endpoints.

Third-party penetration testing

EVEN engages independent third-party penetration testers annually. Findings are triaged in Vanta, remediated on defined timelines, and re-tested.

Most recent engagement: <insert year / vendor>. Executive summary available under NDA — contact security@even.biz.

Data handling & privacy

Data categories

Category

Handling

Payment data (card numbers, bank details)

Never stored by EVEN. Handled entirely by Stripe (PCI DSS Level 1).

Fan account data (email, display name, purchase history)

Encrypted at rest; access-controlled; deleted on request per GDPR/CCPA.

Artist content (unreleased music, videos, artwork)

S3 with signed URLs; Mux streaming with signed playback; not indexed by search engines pre-release.

Communication content (fan-chat messages, comments)

Encrypted in transit via Stream Chat; moderation controls available to artists.

Analytics events (PostHog events, aggregate metrics)

Pseudonymized where possible; retention aligned to product need.

Data subject rights

• Fans and artists can request data access, correction, portability, or deletion via privacy@even.biz.

• Requests are honored within the timeframes required by applicable regulation (30 days GDPR, 45 days CCPA).

• Data deletion cascades through the application database and, where feasible, downstream processors.

Sub-processors

EVEN uses trusted sub-processors for hosting, payments, communications, and analytics. A current sub-processor register is available on request and is updated whenever a new processor is added.

Incident response

EVEN operates a documented incident response process aligned with the NIST framework (identify → protect → detect → respond → recover).

Detection & alerting

• Sentry: real-time error tracking for API, admin, and worker processes with paging on new error groups.

• Datadog / Grafana: latency, throughput, and infrastructure health with alerting on SLO breaches.

• PostHog: product-level anomaly signals (unexpected drops in auth, purchase, or release funnels).

• CloudWatch and AWS CloudTrail: audit logs for infrastructure access and configuration changes.

Response

• On-call engineer rotation with defined escalation paths; documented per-service runbooks.

• Dedicated #incidents Slack channel; incidents are declared, tracked, and postmortemed.

• Customer notification within 72 hours of confirming a personal-data breach (per GDPR Article 33).

Recovery

• Business continuity and disaster recovery plans are exercised at least annually via tabletop exercise.

• Backups: PlanetScale automated daily backups; S3 cross-region replication.

• Rollback: each service can be independently rolled back to the previous deploy; forward-fix preferred for schema-related regressions.

Vendor risk management

Every sub-processor and critical vendor undergoes a security review before onboarding. Vendors with access to customer data, payment data, or production infrastructure are classified Critical or High and receive a SOC 2 Type II report review and, where warranted, a security questionnaire.

Highlighted vendors (all SOC 2 Type II certified or equivalent):

• Hosting & data: Render, PlanetScale, AWS, Vercel

• Payments: Stripe (PCI DSS Level 1)

• Communications: Twilio, Resend, Stream Chat

• Media: Mux, Transloadit

• Auth: Magic (passwordless)

• Observability: Sentry, Datadog, PostHog

• Identity & devices: JumpCloud (SSO + MDM)

Reporting security issues

EVEN welcomes reports from the security community. If you believe you have found a security vulnerability in an EVEN service:

• Email security@even.biz with a description, reproduction steps, and any relevant details.

• Please do not exploit the issue beyond what is necessary to demonstrate it; do not disclose it publicly until we have had a reasonable opportunity to remediate.

• We will acknowledge receipt within 3 business days and provide a resolution timeline once we have triaged.

We do not currently operate a paid bug-bounty program, but we will publicly acknowledge coordinated disclosures upon request.

Contact

General security:

Privacy & data subject requests:

Compliance / audit inquiries:

Trust materials (SOC 2, DPA):

Join 500K+ artists getting EVEN

On EVEN your music will earn more and help you connect deeper with your fans.

Start Earning Today

Join 500K+ artists getting EVEN

On EVEN your music will earn more and help you connect deeper with your fans.

Start Earning Today

Join 500K+ artists getting EVEN