Beveiliging7 min read

Beveiliging en naleving

Tweefactorauthenticatie inschakelen, SSO/SAML configureren, AVG-verzoeken afhandelen en auditlogboek bekijken.

Security Overview

CompleteEvent is built on Supabase with row-level security (RLS) on all database tables. This means every database query is automatically scoped to the authenticated user's organization — no custom middleware required to prevent cross-organization data leaks. All data is encrypted at rest and in transit using industry-standard encryption.

Two-Factor Authentication (2FA)

We strongly recommend enabling two-factor authentication on your CompleteEvent account, especially if you manage events with payment data or sensitive attendee information.

Setting up 2FA

  1. Go to Account Settings → Security.
  2. Click Enable two-factor authentication.
  3. Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password, or any TOTP-compatible app).
  4. Enter the 6-digit code from your authenticator app to verify setup.
  5. Save the backup codes in a secure location. These are one-time codes you can use if you lose access to your authenticator app.

After 2FA is enabled, every login will require both your password and the current code from your authenticator app.

Disabling 2FA

To disable 2FA, go to Account Settings → Security → Disable 2FA. You will need to enter a valid code from your authenticator app (or a backup code) to confirm the change.

If You Lose Access to Your Authenticator

Use one of your saved backup codes to log in. During login, click “Use a backup code” instead of entering a TOTP code. After logging in with a backup code, go to Security Settings and reconfigure 2FA with your new authenticator app.

If you have lost both your authenticator access and all backup codes, contact us at support@completeevent.app for account recovery. Identity verification will be required.

SSO / SAML (Enterprise)

Enterprise customers can configure SAML-based SSO to allow team members to log in with their company identity provider (Okta, Azure AD, Google Workspace, etc.). When SSO is configured, team members can log in via their organization's identity provider without needing a separate CompleteEvent password.

SSO configuration is handled at the Supabase project level. Contact us at support@completeevent.app to request SSO setup. You will need:

  • Your identity provider's metadata XML or metadata URL.
  • The email domain(s) that should be routed through SSO.
  • A designated SSO administrator contact at your organization.

SSO is available for Pro plan organizations. Setup typically takes 1–2 business days.

GDPR: Data Export

Under GDPR (and similar regulations), individuals have the right to request a copy of their personal data. If an attendee contacts you with a data access request, you can generate their data export from Organization Settings → Data & Privacy → Export attendee data.

  1. Go to Organization Settings → Data & Privacy.
  2. Click Export attendee data.
  3. Enter the attendee's email address.
  4. Click Generate export. A JSON file containing all data held for that email address (across all your events) will be downloaded.
  5. Send this file to the requesting individual within your jurisdiction's required timeframe (30 days under GDPR).

The export includes: registration records, form responses, check-in timestamps, and any session or survey data associated with that attendee.

GDPR: Data Deletion Request

Individuals also have the right to request deletion of their personal data (the “right to be forgotten”). To process a deletion request:

  1. Go to Organization Settings → Data & Privacy → Delete attendee data.
  2. Enter the attendee's email address.
  3. Review the list of records that will be deleted.
  4. Click Confirm deletion. This action is irreversible.

Deletion removes the attendee's personal data (name, email, form responses) from all registration records. Anonymized aggregate data (e.g., registration count on a given day) is retained for analytics purposes — this data contains no personal identifiers.

Important: Data deletions are recorded in the audit log. This creates a verifiable record that the deletion was performed, which you may need to demonstrate compliance.

Audit Log

The organization audit log records all significant actions performed by team members. Owners can access the audit log from Organization Settings → Audit Log. The log includes who performed each action, what resource was affected, and when.

From a security perspective, review the audit log if you:

  • Suspect unauthorized changes to your events.
  • Need to verify when a data export or deletion was performed.
  • Want to confirm when a team member was added or removed.
  • Are responding to a security incident or compliance audit.

The audit log is available on Starter and Pro plans and is retained for 12 months.

Password Security

CompleteEvent uses Supabase Auth for password management. Passwords are never stored in plaintext — they are hashed using bcrypt. We recommend:

  • Using a unique, strong password (12+ characters).
  • Using a password manager to generate and store your password.
  • Enabling 2FA as a second layer of protection.

If you suspect your account has been compromised, change your password immediately from Account Settings → Security → Change password, then review the audit log for unexpected actions.

Reporting a Security Issue

If you discover a security vulnerability in CompleteEvent, please report it responsibly by emailing security@completeevent.app. Do not disclose vulnerabilities publicly until we have had a chance to investigate and address the issue.

Need more help?

Contact us at support@completeevent.app and we'll get back to you within one business day.

← Back to Help Center