Security

We design UTIX to protect:

• user accounts and authentication flows,
• ticket integrity (anti-fraud and anti-counterfeit controls),
• organiser access and payout tooling,
• platform availability and operational resilience,
• and the confidentiality and integrity of personal data.

No system is perfectly secure. We continuously improve controls as we grow.

2.1 Passwordless authentication. UTIX uses email-based one-time codes rather than passwords, reducing password reuse and phishing risks.

2.2 Session protection. Sessions are protected with secure, httpOnly cookies and server-side controls.

2.3 Rate limiting and abuse prevention. We apply rate limiting and automated defences against brute-force and suspicious activity.

3.1 Dynamic/rotating QR codes. Tickets may use short-lived QR codes and replay protection so screenshots are less effective.

3.2 Nonce and replay controls. We use mechanisms designed to prevent the same ticket being scanned repeatedly in ways that bypass admission rules.

3.3 Offline and degraded scanning protections. Where offline scanning is supported, we design controls to reduce fraud risk while maintaining entry throughput.

4.1 Role-based access control. Access to Organiser tooling is role-based (owner/admin/check-in roles where supported).

4.2 Admin protections. Administrative access is restricted and protected with additional verification steps for sensitive actions.

4.3 Audit logging. We maintain audit logs for sensitive operational actions to support investigation and integrity.

5.1 Encryption in transit. Network traffic is protected using TLS/HTTPS.

5.2 Encryption at rest. We use reputable cloud providers and rely on their encryption-at-rest capabilities where available, alongside access controls.

5.3 Access controls. We restrict production access to authorised personnel and apply least-privilege principles where possible.

5.4 Logging and monitoring. We monitor errors and operational signals to detect outages and suspicious behaviour.

5.5 Secrets management. API keys and secrets are stored and managed using standard secure practices and are not intended to be committed into source control.

6.1 Payments are processed through payment partners (primarily Stripe). UTIX does not store full payment card numbers.

6.2 Refunds and payouts are executed through payment partner systems and controls.

6.3 We maintain internal checks to prevent certain classes of payment and refund abuse, and to support dispute handling.

If you believe you have found a security vulnerability, please report it responsibly.

Please do not:

• access other users’ data,
• disrupt services (e.g., DDoS),
• attempt extortion,
• publicly disclose details before we have had a reasonable chance to investigate and mitigate.

We maintain an incident response process designed to:

• triage and validate reports,
• contain impact,
• remediate vulnerabilities,
• rotate secrets where necessary,
• and notify affected parties where legally required.

Where personal data is impacted and UK GDPR applies, we will assess reporting obligations to relevant authorities and notifications to affected individuals.

We aim to design for reliability through:

• cloud hosting with redundancy features where available,
• operational monitoring,
• and controlled rollout practices.

Planned maintenance and incident-related downtime may occur; we strive to minimise disruption.

UTIX relies on vetted third parties for key infrastructure (payments, email delivery, hosting, databases, wallet services, monitoring). Each provider has its own security controls and contractual obligations. We aim to use providers with strong security reputations and to limit data shared to what is necessary.

We may update this page as controls evolve. The “Last updated” date will be revised accordingly.

For security questions or reports: info@utix.co.uk