SECURITY Is FOUNDATIONAL

Enterprise-grade infrastructure, PCI-compliant payment processing, and transparent compliance practices — built to meet the security requirements your organization demands.

INFRASTRUCTURE SECURITY

Handbid’s platform runs on hardened, monitored infrastructure designed for the unpredictable traffic patterns of live events.

SOC 2-Certified Data Centers

Handbid is hosted by Nicman Labs, a SOC 2 Type II certified infrastructure provider, ensuring audited controls for security, availability, and confidentiality.

Primary + Failover Architecture

Handbid operates a primary data center with a geographically separate failover site to minimize downtime during infrastructure incidents.

24x7 Monitoring

Handbid backend services are continuously monitored across all customers. White-label clients additionally receive dedicated front-end monitoring for their branded environments.

99.5% Uptime SLA

Contractual uptime guarantee backed by Handbid’s infrastructure architecture and operational practices.

Dedicated Hosting for High-Traffic Events

Isolated infrastructure environments available for events expecting 5,000+ sustained visits per minute.

Peak Load Scaling

Event-night scaling packages ensure your auction or event can handle traffic surges without degradation.

PHP code displayed on dark background screen at a technology demonstration

Payment Security

Every transaction on Handbid is processed through industry-leading payment infrastructure. Sensitive payment data never touches Handbid servers.

PCI DSS Compliant Processing

All payment processing is handled by Stripe, a PCI Level 1 Service Provider — the highest level of payment industry certification.

Encrypted Transmission

All payment data is transmitted over TLS-encrypted connections between the client, Handbid, and Stripe.

Card Tokenization

Payment card numbers are tokenized by Stripe at the point of entry. Card data is never transmitted to, processed by, or stored on Handbid servers.

Multiple Secure Payment Methods

Stripe, Apple Pay, Google Pay, ACH, Stripe Link, DAF Pay by Chariot, card terminals, and Tap to Pay — all processed through PCI-compliant channels.

Application Security

Handbid’s application layer is engineered with security controls at every level — from mobile app distribution to API integrations.

App Store Security Reviews

Native iOS and Android apps are reviewed and published through Apple App Store and Google Play Store security processes, meeting platform-specific security requirements.

HTTPS/TLS Encryption

All data in transit is protected by TLS encryption. No unencrypted connections are accepted.

WebSocket Security

Handbid’s real-time bidding engine communicates over secure WebSocket (WSS) connections with authenticated sessions.

Role-Based Access Controls

Event management interfaces enforce role-based permissions, ensuring staff access only the data and functions appropriate to their role.

Secure API Architecture

Enterprise integrations connect through authenticated, versioned APIs designed for secure data exchange.

Data Protection

Your data is protected throughout its lifecycle — at rest, in transit, and during processing.

Encryption at Rest and in Transit

All stored data is encrypted at rest. All data transmitted between clients and servers is encrypted via TLS.

Automated Backups

Automated backup processes ensure data recoverability in the event of an incident.

Data Isolation for White-Label Deployments

White-label customers operate in logically isolated environments. Enterprise customers with dedicated hosting receive physically isolated deployments.

GDPR-Aware Data Handling

Handbid follows GDPR-aware data handling practices, including support for data subject access and deletion requests.

Data Retention & Deletion Policies

Handbid’s data retention and deletion practices are documented in our Data Processing Agreement (DPA), available on our legal page.

Authentication & Access

Handbid supports enterprise identity and access management standards to integrate securely with your existing infrastructure.

SSO Support

SAML 2.0 and OAuth 2.0 single sign-on integration for enterprise identity providers. Deployed today with Fortune 500 media and entertainment customers.

Identity Provider Integration

Connect Handbid to your organization’s identity provider via SAML-based SSO for centralized user management.

Multi-Factor Authentication

MFA via Twilio Verify and SMS. Required for Handbid super admins and available for organizations to enable across their users.

Session Management

Session timeout enforcement to limit unauthorized access from idle sessions.

Compliance & Certifications

Transparency is a core value. The table below summarizes Handbid’s current compliance posture and planned certifications.

Certification

Status

Details

Infrastructure SOC 2 Type II

Active

Handbid’s hosting infrastructure is operated by Nicman Labs, a SOC 2 Type II certified provider. Nicman Labs’ SOC 2 report is available upon request under NDA.

Handbid SOC 2 Type II

Planned 2027

Handbid’s own SOC 2 Type II certification is budgeted and planned for the near future. Contact us for current status and timeline.

PCI DSS

Active (via Stripe)

Payment processing is handled by Stripe, a PCI Level 1 Service Provider. Handbid does not store, process, or transmit cardholder data.

App Store Compliance

Active

Native iOS and Android applications comply with Apple App Store and Google Play Store security and privacy requirements.

GDPR Awareness

In Practice

Handbid follows GDPR-aware data handling practices. Formal GDPR compliance documentation is available upon request.

WCAG 2.1 Accessibility (VPAT)

Active

Handbid’s VPAT (Voluntary Product Accessibility Template) documents conformance with WCAG 2.1 Level A and Level AA. The full report is available on our Accessibility page.

Accessibility

Handbid is committed to making our platform usable by everyone, including people with disabilities. We design and test for accessibility as part of our standard development process.

WCAG 2.1 Conformance

The Handbid platform conforms to WCAG 2.1 Level A and Level AA success criteria. Our conformance has been evaluated through screen-reader testing (NVDA), keyboard navigation testing, mobile reflow testing, and technical auditing.

VPAT Available

Our Voluntary Product Accessibility Template (VPAT®, Version 2.4) is published on our website. The report, dated February 2026, provides detailed conformance information for each WCAG 2.1 success criterion.

Download VPAT

Assistive Technology Support

Handbid is tested with NVDA screen reader on Windows/Chrome, keyboard-only navigation, and mobile reflow to ensure usability across assistive technologies.

Ongoing Commitment

Handbid retains an independent accessibility firm to audit our code and guide ongoing remediation. Accessibility is continuously monitored, tested, and improved as part of our development lifecycle.

Ongoing Support

If you encounter an accessibility barrier or have questions about Handbid’s accessibility practices, contact us.

Enterprise Options

For organizations with elevated security, performance, or compliance requirements, Handbid offers dedicated enterprise configurations.

Dedicated Hosting Environments

Fully isolated infrastructure for your organization, separate from shared multi-tenant environments.

Peak Load Planning

Pre-event capacity planning and event-night scaling to handle sustained traffic of 5,000+ visitors per minute.

Security Questionnaire Support

For enterprise engagements, our team will complete your vendor security questionnaire and provide supporting documentation for your internal review process.

Security Contact & Resources

Have security questions? We’re here to help. Our team is available to:

Complete your vendor security questionnaire

Provide additional security documentation and compliance artifacts

Share Nicman Labs’ SOC 2 report under NDA

Schedule a call with our technical team to discuss your requirements

Schedule a Call