Security & Privacy
Security built for sensitive member data
TheatreStack protects safeguarding records, financial data, and personal information with passkeys-first MFA, role-based access, and comprehensive audit trails.
Security highlights
- Passkeys-first MFA with TOTP fallback for passwordless authentication
- Granular role-based access for committee, safeguarding, and finance roles
- Step-up verification for sensitive actions (viewing safeguarding data, financial records)
- Comprehensive audit trails for member data access and critical changes
- Multi-tenant isolation ensuring societies' data remains completely separate
Built-in security features
Modern security practices for sensitive theatre data
Passkeys-first authentication
Modern passwordless authentication using passkeys (WebAuthn) for committee members, with TOTP fallback for flexibility. Phishing-resistant and easier than passwords.
Role-based access control
Granular permissions for committee, safeguarding officers, finance roles, and production teams. Members only see what they need for their specific role.
Step-up verification
Sensitive actions (viewing safeguarding cases, accessing child performer data) require re-authentication, ensuring only authorized users access critical information.
Audit trails
Every access to sensitive member data (address, emergency contacts) is logged with timestamp and user. Members can see who has viewed their information.
Session protection
Idle and absolute timeouts keep accounts secure on shared devices. Sessions expire automatically to prevent unauthorized access after committee meetings.
Multi-tenant isolation
Complete data separation between societies. Your members, productions, and financial data are isolated from other organizations at the database level.
Privacy-first design
UK GDPR compliance built into every feature
Sensitive data protection
- Hidden by default: Member addresses, phone numbers, emergency contacts, and full dates of birth are hidden by default.
- Audited access: When committee members reveal sensitive info, it's logged with their name and timestamp.
- Member visibility: Members can see who has accessed their sensitive information in their activity log.
GDPR compliance tools
- Right to access: Members can export all data you hold about them (subject access requests).
- Right to erasure: Members can request deletion of their data (with exceptions for legal obligations like financial records).
- Marketing consent: Clear opt-in/opt-out controls for marketing emails with automatic unsubscribe handling.
- Data minimization: Only collect what you need, with optional fields for additional data.
Safeguarding data security
Extra protection for child performer and safeguarding information
Restricted access
Safeguarding data (cases, incidents, child performer details) is only accessible to users with explicit safeguarding permissions.
Step-up required
Viewing safeguarding cases or child performer information requires re-entering your password (step-up authentication) for an extra security layer.
Audit everything
Every access to safeguarding data is logged with full audit trails showing who accessed what and when, creating accountability.
Infrastructure security
Built on modern, secure foundations
HTTPS everywhere
All connections are encrypted with TLS. No plain HTTP access allowed.
Secure database encryption
Data at rest is encrypted. Database access is restricted and audited.
Regular security updates
Infrastructure and dependencies are kept up to date with security patches applied promptly.
UK/EU data residency
Your data is stored in UK/EU data centers, ensuring compliance with UK GDPR requirements.
Security questions?
We're happy to discuss our security practices in detail
If you have specific security requirements or questions about our practices, compliance certifications, or data handling, please get in touch.