Skip to content
(801) 890-5036
Free Consultation
Blog/CurtainCall Security

CurtainCall Security: PCI Compliance & Data Protection

How CurtainCall protects your customers' payment data, personal information, and ticket transactions — PCI DSS compliance, encryption, data isolation, backups, and GDPR considerations.

R

Ryan Pullman

Founder & Lead Developer at Metorox Software LLC — 10+ years of full-stack development experience building custom software, WordPress plugins, SaaS platforms, and digital marketing solutions for small businesses. Learn more about Ryan →

Published: July 5, 2026Updated: July 5, 202612 min read

When your audience buys tickets online, they trust you with their credit card numbers, email addresses, and personal information. That trust is non-negotiable. A single data breach can destroy your organization's reputation and expose you to legal liability.

CurtainCall Ticketing was built with security as a foundational requirement — not an afterthought. This article covers every security feature in detail, so you can confidently tell your board, your parents, and your audience that their data is protected.

Security Features

🛡️

PCI DSS Compliance

CurtainCall is PCI DSS Level 1 compliant — the highest level of payment card security. Credit card data is processed entirely by Stripe or Square; CurtainCall never stores, processes, or transmits raw card numbers.

  • PCI DSS Level 1 compliant architecture
  • Zero credit card data stored on CurtainCall servers
  • Payment tokenization via Stripe/Square (card numbers never touch our systems)
  • Secure payment forms loaded directly from Stripe/Square (iframe isolation)
  • Regular third-party security audits
  • Compliance documentation available for auditors on request
🔐

Data Encryption

All data is encrypted in transit and at rest. Every connection between your browser, CurtainCall servers, and payment processors uses TLS 1.2+ encryption.

  • TLS 1.2+ encryption for all data in transit (HTTPS everywhere)
  • AES-256 encryption for sensitive data at rest
  • Database-level encryption for customer PII
  • Encrypted backup storage
  • Certificate pinning for payment processor connections
  • HSTS headers enforced (no HTTP fallback)
🏗️

Customer Data Isolation

Each organization's data is isolated in separate Docker containers. One organization cannot access another's data — even in a multi-tenant environment.

  • Docker-based tenant isolation (one container per organization)
  • Separate database schemas per tenant
  • Network-level isolation between containers
  • No shared data between organizations
  • Independent resource allocation per tenant
  • Isolation verified through automated security testing
💾

Automated Backups & Disaster Recovery

Daily automated backups with geographic redundancy. If something goes wrong, we can restore your data within hours — not days.

  • Daily automated backups (database + files)
  • Geographic redundancy (backups stored in separate data centers)
  • Last 30 days of backups retained
  • 6-hour restore SLA for critical incidents
  • Backup integrity verification (automated checksums)
  • Disaster recovery plan documented and tested
👤

Role-Based Access Control

Control who can see and do what. Admin, manager, and staff roles ensure that box office volunteers can't access financial reports, and only admins can change settings.

  • Granular role-based permissions (admin, manager, staff, box office)
  • Feature-level access control (reporting, settings, refunds, etc.)
  • Audit log for all admin actions
  • Session management with automatic timeout
  • Multi-factor authentication support (coming soon)
  • IP-based access restrictions for admin panel (enterprise)
🖥️

Infrastructure Security

CurtainCall runs on hardened infrastructure with firewalls, intrusion detection, and 24/7 monitoring. We follow security best practices at every layer.

  • Server-side firewall with strict ingress/egress rules
  • Nginx reverse proxy with security headers
  • DDoS protection via CloudFlare
  • Automated vulnerability scanning
  • Security patches applied within 24 hours of release
  • 24/7 uptime monitoring with automated alerting
  • SSL/TLS certificate auto-renewal

GDPR & Compliance

CurtainCall includes features that support GDPR compliance for organizations operating in or serving customers in the European Union. While CurtainCall provides the technical tools, each organization is responsible for implementing their own GDPR policies.

  • Data export on request (customer can request their data)
  • Account deletion capability
  • Consent management for marketing communications
  • Data retention controls (configurable per organization)
  • Privacy policy integration on ticket purchase pages
  • Cookie consent banner support

Best Practices for Event Organizers

Use strong admin passwords

Enforce complex passwords for all staff accounts. Enable two-factor authentication when available.

Limit staff access

Only give staff the permissions they need. Box office volunteers don't need access to financial reports.

Keep your plan current

Higher-tier plans include more advanced security features. Enterprise plans include dedicated security reviews.

Monitor your activity log

Review the activity log regularly for unusual actions — unexpected logins, bulk exports, or configuration changes.

Use HTTPS everywhere

CurtainCall enforces HTTPS on all pages. Make sure your own website also uses SSL if you're embedding CurtainCall.

Frequently Asked Questions

Is CurtainCall PCI compliant?

Yes. CurtainCall is PCI DSS Level 1 compliant. Payment processing is handled entirely by Stripe or Square — CurtainCall never stores, processes, or transmits raw credit card numbers on its servers.

How does CurtainCall protect customer data?

CurtainCall uses Docker-based tenant isolation, encrypted data at rest and in transit (TLS 1.2+), daily automated backups, and role-based access control. Each organization's data is isolated in separate containers.

Is CurtainCall GDPR compliant?

CurtainCall includes GDPR-supporting features: data export on request, account deletion, consent management, and data retention controls. Organizations are responsible for their own GDPR compliance policies.

Security Questions?

Contact our team for detailed security documentation or to discuss your organization's compliance requirements.