Security & Compliance
Trust Centre
Everything you need to know about how EventHive keeps your data safe, where it's stored, who can access it, and how we meet our GDPR obligations.
Last updated: 5 April 2026 Β· Operated by Visual Hive Ltd (company no. 11878215)
Where Your Data Lives
All EventHive data is stored on servers operated by Hetzner Online GmbH, a leading European cloud provider, in their Frankfurt, Germany data centre. This means your data is:
- β Stored within the European Economic Area (EEA), fully within the scope of GDPR
- β Subject to strict EU data protection and privacy standards
- β Not stored on US hyperscaler infrastructure (no AWS, Azure, or GCP)
- β Isolated on a private server β not on shared public cloud infrastructure
Hetzner is ISO 27001 certified and compliant with GDPR as a data processor. See Hetzner's privacy policy.
Security Measures
Password Security
Your password is never stored. We store only a bcrypt hash with a work factor tuned for modern hardware. Even if the database were compromised, your plain-text password cannot be recovered.
OAuth Token Encryption
When you connect email or messaging accounts, the OAuth tokens we store are encrypted at rest using AES-256-GCM with a server-side key. Even direct database access would not expose readable tokens.
Transport Security
All connections to EventHive are encrypted using TLS 1.2/1.3 (HTTPS). We use Caddy as our reverse proxy, which automatically provisions and renews Let's Encrypt certificates.
Session Security
Sessions use cryptographically random tokens stored in httpOnly cookies β inaccessible to JavaScript, protecting against XSS attacks. Sessions are stored server-side in our database and can be invalidated immediately on logout.
Access Control
Role-based access control ensures members only access their own data. Admin capabilities are restricted to Visual Hive staff. Database access is limited to authorised personnel with a legitimate need.
Network Isolation
The PostgreSQL database is not publicly accessible. It listens only on the internal Docker network. External access is possible only through the application layer, which enforces authentication and authorisation.
Sub-Processors
These are the third-party companies that process personal data on our behalf. Each operates under a Data Processing Agreement (DPA) with Visual Hive Ltd and is contractually bound to process your data only as directed by us.
| Processor | Purpose | Location | Transfer |
|---|---|---|---|
| Hetzner Online GmbH Privacy policy β | Infrastructure hosting β all data | π©πͺ Germany (EU) | EU only |
| Brevo SAS Privacy policy β | Transactional email β name & email only | π«π· France (EU) | EU only |
| Groq Inc Privacy policy β | AI inference β Inbox triage & briefings (Llama 3.3) | πΊπΈ United States | SCCs |
| Anthropic PBC Privacy policy β | Optional AI assistant (your own API key required) | πΊπΈ United States | SCCs |
| PostHog Inc Privacy policy β | Product analytics β anonymised events only | π©πͺ EU Cloud / self-hosted | EU only |
SCCs = Standard Contractual Clauses (UK IDTA / EU Module 2), providing equivalent data protection for transfers to non-adequate countries. No AI model is trained on your data β Groq and Anthropic APIs process queries in real time only.
Our Data Practices
We never sell your data
Your personal data is never sold, rented or shared with third parties for their own marketing or commercial purposes.
Data minimisation
We collect only the personal data necessary to provide the service. Profile fields like job title and company are optional and not required for basic use.
No AI training on your data
Neither Groq nor Anthropic train their AI models on data submitted via their API by default. Your event data stays your event data.
Data portability
You can export all your tool data from within the EventHive app at any time. We support data portability as a right, not just as a policy.
Deletion on request
Request deletion at richard@visualhive.co and we'll purge all your data within 2 working days β faster than the GDPR requires.
No advertising cookies or cross-site tracking
We use a single httpOnly session cookie. No advertising networks, no tracking pixels, no fingerprinting.
GDPR Compliance
Data Controller
Visual Hive Ltd (company no. 11878215), registered in England and Wales
Data Protection Officer
Richard Osborne β richard@visualhive.co
Lawful Bases Used
Contract (core service), Legitimate interest (security, analytics), Consent (optional AI features)
Supervisory Authority
Information Commissioner's Office (ICO) β ico.org.uk
Breach Notification
We will notify the ICO within 72 hours of becoming aware of a breach likely to risk individuals' rights (GDPR Art. 33). Affected members will be notified without undue delay.
Data Retention
Account data retained for 6 months after closure. Immediate deletion within 2 working days on written request.
Your Rights
Access
Request a copy of all personal data we hold about you.
Rectification
Correct inaccurate data β most fields editable directly in your profile.
Erasure
Request deletion of all your data. Actioned within 2 working days.
Portability
Export your tool data at any time in machine-readable format.
Restriction
Request we restrict processing while a dispute is resolved.
Objection
Object to processing based on legitimate interest (e.g. analytics).
To exercise any right, email richard@visualhive.co. We respond within one calendar month. If unsatisfied, you may complain to the ICO.
Open Source Tools
The event management tools distributed through EventHive are open source and released under the MIT Licence. You can inspect, fork, and self-host them at any time. Transparency is a core part of how we build trust.
View tools on GitHub βSecurity Incidents
In the unlikely event of a security incident affecting personal data, we will:
- 1 Contain and assess the incident as quickly as possible
- 2 Notify the ICO within 72 hours if the breach is likely to risk individuals' rights and freedoms (GDPR Article 33)
- 3 Notify affected members without undue delay if the breach is likely to result in a high risk to their rights (GDPR Article 34)
- 4 Publish a post-incident report on this page after resolution
Report a vulnerability
If you discover a security vulnerability in EventHive, please disclose it responsibly by emailing richard@visualhive.co. Please do not publicly disclose vulnerabilities before we have had the opportunity to address them. We will acknowledge receipt within 2 working days.
Questions about trust and security?
Our DPO and CTO Richard Osborne handles all privacy, security and data protection enquiries personally.