Per-organization databases
Each partner runs against an isolated logical database with row-level security the host cannot accidentally bypass.
Trust & security
The hardest requirement in a community ticketing platform is not uptime or payments. It is confidentiality between partner organizations that share patrons. Ticketing.to treats organizational isolation as a first-class architectural property — not a policy you enforce by hand.
Architecture
Each partner runs against an isolated logical database with row-level security the host cannot accidentally bypass.
Patrons who buy from multiple organizations are reconciled through a deterministic match service that exposes the marketplace identity — never the org-private profiles.
The shared marketplace queries through a policy-checked read API. Every query is logged, signed, and reviewable by each affected organization.
Donor and patron exports honor the requesting org's consent records. Cross-org exports require named approval with a permanent audit trail.
Host admins manage the marketplace; partner admins manage their org. Roles are scoped, named, and gated by approval workflows for destructive actions.
Every sensitive operation — comps, refunds, exports, policy changes — is written to an append-only ledger with signed timestamps.
Compliance
Ticketing.to maintains a current set of third-party attestations and binds the same controls to our subprocessors. The full trust package — SOC 2 Type II report, pen-test summary, accessibility VPAT, and DPA — is available under NDA.
Annual SOC 2 Type II audit with continuous control monitoring. Reports available under NDA.
Cardholder data never touches our servers. Tokenized via Stripe; point-to-point encryption on every terminal.
Every customer-facing surface is built and tested to WCAG 2.1 AA. Reduced motion, keyboard paths, contrast-tested palettes.
Continuous SAST, DAST, dependency scanning, and quarterly third-party penetration testing.
TLS 1.3 in transit, AES-256 at rest, KMS-backed key rotation, and signed audit trails for sensitive operations.
Point-in-time recovery, multi-region replication, and quarterly DR rehearsals with documented RPO and RTO.
Accessibility
The platform is built to WCAG 2.1 AA across every public and operator surface. A VPAT is available; we publish our open accessibility issues and our resolution SLAs.
Every flow — discovery, checkout, box office, scanner — completes on a keyboard alone, with visible focus and skip links.
Announce regions, live regions for inventory changes, and labelled controls. Tested with VoiceOver, NVDA, JAWS, and TalkBack.
Animations are opt-in via prefers-reduced-motion; no surface depends on motion for state.
Color is never the only signal. Palettes are tested at every theme — including partner-branded themes.
Reliability
The curtain doesn’t come down on opening night. Neither does Ticketing.to. We commit to 99.95% platform uptime, with named on-call engineers and a public status page.