Security

The security of your data and payments is our priority.

Secure payments

Your transactions are in good hands

Stripe PCI-DSS Niveau 1

All payments are processed by Stripe, certified PCI-DSS Level 1 — the highest level of compliance in the payment industry. Movétan never has access to your banking data.

Zero banking data stored

No card number, no CVV, no payment data is stored on Movétan servers. Processing is entirely delegated to Stripe.

TLS 1.3 encryption

All communications between your browser and our servers are encrypted via HTTPS with TLS 1.3. No data travels in plain text.

Stripe Connect Express

Organizers receive payments via Stripe Connect, with integrated KYC identity verification. Payouts are automatic and fully traced.

Data protection

Compliant with GDPR and French data protection laws

Data hosted in the European Union

Your database is hosted on MongoDB Atlas (AWS infrastructure) in a European region. Your data stays in the EU.

Hashed passwords (bcrypt)

Passwords are never stored in plain text. They are hashed with bcrypt (12 salt rounds). Even if the database is compromised, they remain unreadable.

Right to erasure

Deleting your account triggers the irreversible deletion of all your personal data within 30 days. In accordance with Article 17 of the GDPR.

No data resale

Movétan never sells, rents or shares your personal data with third parties for commercial purposes. Your data is used exclusively for the service.

Infrastructure and monitoring

Protection, monitoring and résilience

Cloudflare protection

The site is protected by Cloudflare: DDoS protection, web application firewall (WAF), and static resource caching for optimal performance.

Real-time monitoring (Sentry)

Every error on the platform is detected and reported in real-time via Sentry. Our team is immediately alerted to take action.

Role-based accèss control

A multi-level permission system strictly controls access to features and data. Each user can only see and act on what concerns them.

CSRF and injection protection

Every action on the platform is protected against cross-site attacks (CSRF). NoSQL injections and XSS are blocked by sanitization layers.

Ticket security

Every ticket is unique and verifiable

Unique QR codes

Each ticket has a cryptographically generated unique QR code. Impossible to duplicate or guess.

Automatic invalidation after refund

A refunded ticket is immediately invalidated. The QR code is rejected at scan, eliminating any risk of post-refund fraud.

Single-use scan

A ticket can only be scanned once. Any attempt to reuse it is blocked and reported to the organizer.

Oversell protection

Sales operations use atomic MongoDB transactions. It is impossible to sell more tickets than the defined capacity, even during simultaneous rushes.

Report a vulnerability

If you discover a security vulnerability on Movétan, contact us immediately. We commit to handling every report within 48 hours.

security@movetan.com

Also see our Privacy Policy and Terms of Service.