At ThunderTix, security is not a checkbox—it’s a commitment. We proudly completed the PCI DSS v4.0 Self-Assessment Questionnaire D (SAQ-D) for Service Providers in January 2025, meeting the most stringent requirements in the industry.
This page outlines how we protect your data, comply with global standards, and support your organization's security posture.
PCI Compliance
ThunderTix is officially compliant with PCI DSS v4.0 SAQ-D for Service Providers, the highest-level self-assessment designated for vendors who:
- Integrate with payment providers
- Could affect the Cardholder Data Environment (CDE)
- Must verify secure infrastructure and software practices
Key highlights from our 2025 attestation:
- No storage or handling of cardholder data (CHD) or sensitive authentication data (SAD)
- All payment data is tokenized via PCI Level 1-compliant providers: Stripe, Square, Elavon, Authorize.net, Moneris, and Braintree
- Payment is conducted exclusively through secure JavaScript iFrames or certified card readers (BBPOS, WisePOS, Square Terminal, etc.)
- Verified by external Approved Scanning Vendors (ASVs): Intruder and HackerGuardian
Platform & Network Security
- Cloudflare DDoS & WAF: All inbound traffic is filtered through advanced security layers
- TLS 1.2+ Encryption: All traffic is encrypted in transit
- Zero Cardholder Data: No credit card info is stored, processed, or passed through our servers
- Endpoint Protection: All systems, including mobile readers, follow vendor security guidelines and validated firmware versions
- Quarterly vulnerability scans performed and documented as part of PCI compliance
HECVAT & Data Privacy
We provide a completed HECVAT Lite security assessment for universities and public institutions.
- Compliant with GDPR, CCPA, and U.S. data protection frameworks
- No personal data sold or shared with third parties
- Full support for data subject access requests, opt-outs, and data deletion
- Customizable Data Processing Addendum (DPA) available
Dev & Infrastructure Practices
- Role-based access: Only authorized team members can access production systems
- CI/CD with secure code reviews
- Penetration testing conducted and patch management policies in place
- Hosting transitions from Heroku to AWS App Runner include secure VPCs and hardened images
Incident Response & Business Continuity
- Formal Incident Response Plan (IRP) with defined escalation and notification protocols
- Quarterly drills to verify preparedness
- 99.95% uptime SLA and robust failover infrastructure
Third-Party Trust Chain
ThunderTix integrates exclusively with PCI Level 1–compliant payment processors and hardware-validated readers—ensuring secure, tokenized payments across desktop, web, and mobile environments.
| Provider | Function | PCI Level 1 | Tokenization | Validated Devices |
|---|
| Stripe | Payment Processing | ✅ | ✅ | Stripe M2, WisePOS E, BBPOS Chipper 2X (iOS/Android) |
| Square | Payment Processing | ✅ | ✅ | Square Terminal, Square Reader (iOS/Android) |
| Braintree | Payment Gateway | ✅ | ✅ | - |
| Elavon | Payment Gateway | ✅ | ✅ | - |
| Authorize.net | Payment Gateway | ✅ | ✅ | - |
ThunderTix mobile apps integrate with Stripe’s official iOS and Android SDKs to securely accept payments using the M2, WisePOS E, and BBPOS readers—all of which are PCI SSC–validated.
Need Docs for Procurement?
We’ll gladly provide the following upon request:
- PCI DSS SAQ-D (2025)
- HECVAT Lite
- Data Processing Addendum
- Infrastructure & incident response summaries
- Accessibility (VPAT)
- Future SOC 2 roadmap