Security & Trust

Three Count never sees, stores, or processes credit card numbers. All payment data flows directly between the buyer's browser and Stripe, a PCI Level 1 certified payment processor — the highest level of certification in the payments industry. Stripe processes payments for companies like Amazon, Google, and Shopify.

• Card numbers are tokenized in the buyer's browser before leaving their device
• Three Count only receives a payment confirmation token — never raw card data
• Each promoter has their own Stripe Connect account, ensuring funds go directly to them
• Stripe monitors all transactions for fraud using machine learning models trained on billions of data points

Every connection to Three Count is encrypted using TLS 1.2+ (256-bit encryption) — the same standard used by banks and government websites. This applies to every page, every API call, and every admin dashboard session.

• SSL certificates are automatically provisioned and renewed for all domains (platform and client sites)
• HTTP Strict Transport Security (HSTS) prevents downgrade attacks
• All API endpoints enforce HTTPS — plain HTTP connections are rejected

Every ticket issued by Three Count contains a unique QR code that is cryptographically signed using HMAC-SHA256 — the same algorithm used in banking authentication. This makes counterfeiting tickets mathematically impractical.

• Each QR code is bound to a specific ticket, event, and buyer
• Signing keys are unique per organization and stored server-side only
• Duplicate scan detection prevents a single ticket from being used twice
• The scanner app validates signatures locally, so it works even without an internet connection at the venue

Three Count is a multi-tenant platform, meaning multiple promotions run on the same infrastructure. To keep each promoter's data completely separate, we enforce strict isolation at the database level.

• Row-Level Security (RLS) on every database table — a promoter can only access their own events, tickets, roster, and settings
• All API endpoints verify tenant ownership before returning any data
• Admin sessions are authenticated via secure tokens with automatic expiration
• The platform admin (Three Count operator) has a separate auth layer that requires email verification

Three Count runs on a modern, redundant infrastructure stack trusted by thousands of production applications:

We monitor Three Count continuously and respond to issues before they affect users.

• Uptime monitoring — automated health checks every 5 minutes, with instant email alerts on any downtime
• Error tracking — real-time error monitoring via Sentry across all client, server, and edge runtimes
• Stripe webhook alerts — automatic notification on any payment processing failures
• Personally identifiable information (PII) is scrubbed from all error reports before they leave the platform

Your data is yours. Three Count believes every promoter should be able to take their data with them if they ever decide to leave.

• Promoters own all content they upload — event data, roster, images, and ticket records
• Custom domains registered through Three Count are the client's property and will be transferred upon cancellation at no cost
• Data export capabilities are available so promoters can take their full history with them
• We do not sell, rent, or share promoter or buyer data with third parties for advertising

In addition to the infrastructure controls above, Three Count follows these security practices:

• File uploads are validated with magic byte inspection (not just file extensions) to prevent malicious uploads
• All delete and mutation endpoints verify tenant ownership before executing
• Environment secrets (API keys, signing keys) are stored in Vercel's encrypted environment variable system — never in code or documentation
• The codebase is version-controlled with automated deployment — no manual server access required
• Dependencies are regularly reviewed and updated for known vulnerabilities

If you have questions about our security practices, want to report a vulnerability, or need a security overview for your organization's review process, reach out to us directly at doug@threecount.com.