I.

Architecture

How tenant isolation actually works.

Per-organization databases

Each partner runs against an isolated logical database with row-level security the host cannot accidentally bypass.

Shared patron reconciliation

Patrons who buy from multiple organizations are reconciled through a deterministic match service that exposes the marketplace identity — never the org-private profiles.

Governed marketplace queries

The shared marketplace queries through a policy-checked read API. Every query is logged, signed, and reviewable by each affected organization.

🜨

Org-scoped exports

Donor and patron exports honor the requesting org's consent records. Cross-org exports require named approval with a permanent audit trail.

Role-based admin

Host admins manage the marketplace; partner admins manage their org. Roles are scoped, named, and gated by approval workflows for destructive actions.

Permanent audit trail

Every sensitive operation — comps, refunds, exports, policy changes — is written to an append-only ledger with signed timestamps.

II.

Compliance

Independently attested

Ticketing.to maintains a current set of third-party attestations and binds the same controls to our subprocessors. The full trust package — SOC 2 Type II report, pen-test summary, accessibility VPAT, and DPA — is available under NDA.

SOC 2 Type II

Annual SOC 2 Type II audit with continuous control monitoring. Reports available under NDA.

PCI DSS Level 1

Cardholder data never touches our servers. Tokenized via Stripe; point-to-point encryption on every terminal.

WCAG 2.1 AA

Every customer-facing surface is built and tested to WCAG 2.1 AA. Reduced motion, keyboard paths, contrast-tested palettes.

Vulnerability management

Continuous SAST, DAST, dependency scanning, and quarterly third-party penetration testing.

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest, KMS-backed key rotation, and signed audit trails for sensitive operations.

Backups & DR

Point-in-time recovery, multi-region replication, and quarterly DR rehearsals with documented RPO and RTO.

III.

Accessibility

Designed to be used by everyone.

The platform is built to WCAG 2.1 AA across every public and operator surface. A VPAT is available; we publish our open accessibility issues and our resolution SLAs.

Keyboard everywhere

Every flow — discovery, checkout, box office, scanner — completes on a keyboard alone, with visible focus and skip links.

Screen-reader first

Announce regions, live regions for inventory changes, and labelled controls. Tested with VoiceOver, NVDA, JAWS, and TalkBack.

Reduced motion respect

Animations are opt-in via prefers-reduced-motion; no surface depends on motion for state.

Contrast & color

Color is never the only signal. Palettes are tested at every theme — including partner-branded themes.

IV.

Reliability

99.95% uptime. 24/7 response.

The curtain doesn’t come down on opening night. Neither does Ticketing.to. We commit to 99.95% platform uptime, with named on-call engineers and a public status page.

99.95%Uptime SLA
< 5mPager response
4 hrSev-1 target
QuarterlyDR rehearsals

Trust package

Request the trust package

SOC 2 Type II report, pen-test summary, accessibility VPAT, DPA, subprocessor list, and our shared-marketplace data model — available under NDA.