Secure by Default: Payments, Data & Access

Secure by Default: Payments, Data & Access

Ticketing is a trust business: card numbers, legal names, crew credentials, and the implicit promise that a QR really means entry. 4 Circles is designed with defaults that keep those responsibilities clear — payment processors handle raw card data, role-based access guards admin power, and wallet payloads stay signed so scanners can spot tampering.

Payments you can explain to your CFO

  • PCI-scope-light flows keep card numbers off our servers, so your compliance burden stays small.
  • Webhook and API secrets live in environment-backed settings — never embedded in code.
  • Refunds and partial reversals travel through orchestrated services with idempotency so finance never sees surprise duplicate ledger rows.
  • Per-organizer reconciliation — multi-seller carts settle to the right partner every time.

Attendee data and privacy

  • Data subject rights — GDPR and similar programs are easier to satisfy when customer data sits in a structured database with role separation.
  • Multi-organizer carts mean you should publish who can see what when fans buy across partners — link to multi-event cart and your privacy policy.
  • Retention controls — purge jobs are configurable, so customer records leave on the schedule your legal team sets.

Who can press the dangerous buttons

  • Admin consoles for central, organizer, and staff roles inherit a policy-based permission model.
  • Refunds, comps, and approvals leave forensic breadcrumbs — your team always knows who moved money and why.
  • Mandate MFA for privileged users through your identity provider; the platform integrates with the SSO you already trust.

Fraud and abuse

Velocity throttles, geo policies, and Stripe Radar rulesets layer on top of our default protections. Configure the playbook that fits your risk appetite — we provide the hooks; you choose the policy.

Hosting hygiene

  • Secrets stay in CI, IAM follows least privilege, TLS is enforced everywhere.
  • Backups are encrypted, database tunnels are restricted, and restores are rehearsed on a schedule — not only when something smokes.

Scale and security are cousins: read how we handle crush-time traffic alongside this page before you sign a sponsor deck. Schedule a security review with our team to walk through your specific compliance needs.