Cybersecurity and Privacy Compliance Statement
This statement explains how EventLinx protects the Documentation Site only. It is intentionally separated from the production ticketing platform, payment systems, and customer-facing services, which operate under different and stricter security controls.
The documentation site is designed for publishing technical information, internal references, and administrative guidance. Because of this, it handles a much lower level of risk compared to production systems, but still follows structured security and privacy practices.
1. Purpose and scope
The purpose of this document is to describe how security and privacy are managed in a way that is appropriate for a documentation environment. The controls are designed to be practical, proportionate, and aligned with Canadian privacy expectations.
EventLinx applies safeguards to ensure the documentation system remains secure, stable, and compliant with PIPEDA, while still keeping the system simple and focused on informational use.
This statement only applies to the documentation environment and does not extend to ticket sales, payments, or customer account systems.
2. Applicable standards & legal alignment
The documentation site follows Canadian privacy law requirements under PIPEDA, which governs how personal information is collected, used, and protected. In addition, the system is designed with general cybersecurity best practices in mind.
Where helpful, the design is loosely aligned with established frameworks such as ISO/IEC 27001 principles and the NIST Cybersecurity Framework, but these are used only as reference models rather than formal certifications.
GDPR principles may also be considered in a supporting role when they improve privacy clarity, but they are not the primary legal basis.
3. System overview
The documentation site exists to support internal teams and provide structured technical documentation. It is not designed for commercial activity or customer transactions.
It does not handle payments, does not process orders, and does not support user accounts. Because of this, the system avoids storing sensitive financial or transactional data entirely.
4. Data classification & handling
Data in the documentation environment is kept minimal and is handled based on its purpose rather than volume or complexity.
| Type | Description |
|---|---|
| Public content | Documentation pages, guides, and technical references |
| Operational logs | System logs such as IP addresses, timestamps, and access events |
| Voluntary contact data | Basic information such as names or emails if submitted through forms |
Data is only collected for operational reasons such as security monitoring, troubleshooting, and system reliability. It is not used for advertising, profiling, or any form of resale.
5. Security controls
Security measures are implemented in a way that matches the lower-risk nature of a documentation system while still maintaining strong protections.
Technical safeguards include encrypted communication using HTTPS (TLS), regular software updates, and monitoring for unusual or suspicious activity. Backups are also maintained so that content can be restored if something goes wrong.
Administrative controls ensure that only authorized users can make changes, and that those changes follow a controlled process. Access is restricted based on roles, and permissions are kept as limited as possible.
Operational monitoring helps detect issues early by reviewing logs, system alerts, and hosting provider notifications.
6. Access control & authentication
Access to administrative tools is tightly controlled. Only approved individuals can manage or modify the documentation system, and access is reviewed when roles change.
Authentication typically uses strong passwords, and multi-factor authentication is applied where available. Administrative accounts are kept to a minimum to reduce unnecessary exposure.
The public does not have accounts or login access on this system.
7. Hosting & responsibility model
The documentation site is hosted by Diving Dove Studios with infrastructure located in Canada. Responsibility for security is shared between the hosting provider and EventLinx.
The hosting provider is responsible for the physical infrastructure, system availability, and baseline platform security. EventLinx is responsible for how the application is configured, how access is controlled, and how content is managed.
8. Incident response & monitoring
If a security incident occurs, it is handled through a structured process that focuses on identifying the issue, limiting its impact, and restoring normal operation as quickly as possible. Once the situation is stable, a review is performed so that improvements can be made.
When personal information is involved, EventLinx may be required to follow PIPEDA notification obligations, depending on the severity and type of incident.
Monitoring is ongoing and includes reviewing system logs, watching for unusual behavior, and using alerts provided by the hosting environment to detect issues early.
9. Risk assessment summary
The main risks in a documentation environment usually come from unauthorized access attempts, configuration mistakes, or vulnerabilities in third-party components used by the system.
These risks are managed through a combination of access restrictions, regular updates, secure configuration practices, and continuous monitoring. Because the system does not process payments or sensitive customer transactions, the overall risk level remains low.
10. Compliance declaration
EventLinx confirms that the documentation site operates with reasonable technical and administrative safeguards appropriate to its purpose. It follows PIPEDA-aligned privacy principles, applies general cybersecurity best practices, and avoids handling payment card data entirely.
The system is intentionally scoped outside of PCI DSS requirements and remains separated from production and financial environments to reduce risk exposure.