Trepy values the security, integrity, reliability, and stability of its platform, infrastructure, communications systems, ticketing systems, livestream systems, payment integrations, organizational tools, and related services.

This Security & Responsible Disclosure Policy (“Security Policy”) explains Trepy’s general approach relating to:

• vulnerability reporting;
• security research;
• responsible disclosure;
• platform security expectations;
• prohibited security activity;
• operational protections.

This Security Policy supplements the:

• Trepy Terms of Service
• Trepy Acceptable Use Policy
• Trepy Privacy Policy
• Trepy Account Termination & Repeat Violator Policy
• Trepy Payment Dispute & Chargeback Policy
• Trepy Community Standards & Content Policy

By accessing or interacting with Trepy systems, infrastructure, websites, mobile applications, APIs, communications systems, or related services, you acknowledge and agree to this Security Policy.

NOTE: THIS AGREEMENT CONTAINS ARBITRATION, INDEMNIFICATION, AND CLASS ACTION WAIVER CLAUSES

RECITALS

This Agreement incorporates the following additional agreements and policies:

Terms of Service | Privacy Policy | Cookie Policy | Accessibility Statement | Trust & Safety Transparency Policy | SMS Terms / Messaging Terms | Subscription Billing & Cancellation Policy | Acceptable Use Policy | Community Standards / Content Policy | Account Termination & Repeat Violator Policy | Refund / Ticketing Policy | Terms for Paid Livestream Access | Event Cancellation / Force Majeure Policy | Creator / Trep Agreement | Organizer Agreement | Platform Seller Agreement | Platform Verification & Identity Verification Policy | DMCA / Intellectual Property Policy | Intellectual Property Policy | Copyright / DMCA Notice Submission Procedure Page | California Privacy Addendum | Data Processing Addendum (DPA / GDPR Scaling) | Security & Responsible Disclosure Policy | Payment Dispute / Chargeback Policy | Law Enforcement Request Policy.

By Agreeing to this Agreement, you are agreeing to all of the forgoing policies and terms.

1. PURPOSE OF THIS POLICY

Trepy encourages responsible reporting of legitimate security concerns relating to the Trepy platform.

This Security Policy is intended to:

• support coordinated vulnerability disclosure;
• reduce operational risks;
• protect users and organizations;
• maintain infrastructure integrity;
• discourage harmful activity;
• establish reasonable security expectations.

Trepy reserves broad discretion in evaluating reported issues, investigations, operational responses, and enforcement actions.

2. SCOPE

This Security Policy generally applies to Trepy-owned or controlled systems including:

• Trepy websites;
• Trepy mobile applications;
• authentication systems;
• ticketing systems;
• livestream systems;
• communications systems;
• organizational management systems;
• APIs where applicable;
• operational infrastructure.

Third-party providers, integrations, or external services may operate under separate policies and rules.

Relevant third-party providers may include:

• Stripe Security Overview
• Twilio Security Documentation
• Mux Security Overview

Trepy does not authorize testing against systems not owned or controlled by Trepy.

3. REPORTING SECURITY ISSUES

Individuals who identify potential security vulnerabilities may report concerns to Trepy through designated reporting channels where available.

Reports should include reasonable detail sufficient to help Trepy investigate, such as:

• affected URLs;
• affected functionality;
• reproduction steps;
• screenshots where appropriate;
• timestamps;
• technical observations;
• proof-of-concept information where reasonably necessary.

Trepy may request additional information to validate reported concerns.

Incomplete or vague reports may not be investigated.

4. GOOD-FAITH SECURITY RESEARCH

Trepy generally seeks to distinguish good-faith security research from malicious or abusive activity.

Trepy may consider conduct to be good-faith research where individuals:

• act to avoid harm;
• avoid privacy violations;
• avoid service disruption;
• avoid data destruction;
• avoid fraud;
• avoid extortion;
• avoid unauthorized disclosure;
• avoid commercial exploitation of vulnerabilities.

Trepy reserves sole discretion in evaluating whether conduct qualifies as good-faith research.

5. PROHIBITED SECURITY ACTIVITIES

The following activities are prohibited unless expressly authorized in writing by Trepy:

• unauthorized access attempts;
• credential attacks;
• brute-force attacks;
• phishing;
• social engineering;
• denial-of-service attacks;
• distributed denial-of-service attacks;
• malware deployment;
• ransomware activity;
• automated scraping beyond authorized use;
• data exfiltration;
• account takeovers;
• unauthorized privilege escalation;
• exploitation causing service disruption;
• unauthorized interception of communications;
• unauthorized livestream interception;
• payment system manipulation;
• bypassing access restrictions;
• destructive testing;
• unauthorized persistence mechanisms;
• unauthorized modification of data.

Trepy reserves the right to determine whether conduct creates unacceptable operational, legal, security, or business risks.

6. DATA ACCESS LIMITATIONS

Researchers and users may not:

• intentionally access personal information unnecessarily;
• download user data unnecessarily;
• retain copied information;
• publicly disclose personal information;
• share confidential information;
• exploit vulnerabilities for commercial advantage.

If personal information is encountered unintentionally, users should:

• stop testing immediately;
• avoid further access;
• avoid retention;
• report the issue responsibly.

Trepy reserves the right to investigate unauthorized access to information.

7. RATE LIMITS AND OPERATIONAL SAFEGUARDS

Users may not engage in testing or activity that:

• materially degrades performance;
• disrupts services;
• overloads infrastructure;
• affects livestream functionality;
• interferes with ticketing systems;
• disrupts communications systems;
• impacts payment functionality;
• creates operational instability.

Trepy may implement:

• rate limits;
• traffic restrictions;
• IP blocking;
• session restrictions;
• automated defenses;
• anti-bot systems.

Trepy reserves discretion regarding operational protection measures.

8. NO BUG BOUNTY PROGRAM

Unless expressly stated otherwise, Trepy does not operate a public bug bounty program.

Trepy does not guarantee:

• compensation;
• rewards;
• public acknowledgment;
• response timelines;
• remediation timelines.

Any compensation or acknowledgment is solely at Trepy’s discretion.

9. RESPONSIBLE DISCLOSURE EXPECTATIONS

Trepy requests that researchers:

• avoid public disclosure before remediation where reasonably appropriate;
• avoid disclosing exploit details prematurely;
• avoid sharing vulnerabilities with malicious actors;
• provide reasonable time for investigation and remediation.

Trepy reserves the right to determine appropriate remediation timing and disclosure timing.

Trepy does not guarantee remediation of all reported concerns.

10. THIRD-PARTY SYSTEMS

Trepy relies on third-party providers and infrastructure.

These may include:

• Stripe;
• Twilio;
• Mux;
• cloud hosting providers;
• communications providers;
• analytics providers;
• content delivery providers.

Trepy does not authorize testing of third-party systems outside applicable provider authorization programs.

Users should review third-party provider policies independently.

Trepy is not responsible for third-party security programs or enforcement decisions.

11. SECURITY MONITORING

Trepy may use operational systems intended to help identify:

• suspicious activity;
• unauthorized access attempts;
• fraud risks;
• abuse patterns;
• infrastructure threats;
• operational anomalies.

Trepy may monitor:

• network activity;
• authentication events;
• communications systems;
• transaction activity;
• livestream activity;
• API activity where applicable.

Trepy reserves the right to investigate suspicious conduct.

12. ENFORCEMENT RIGHTS

Trepy reserves the right to:

• restrict access;
• suspend accounts;
• terminate accounts;
• block IP addresses;
• freeze monetization;
• preserve evidence;
• refer matters to law enforcement;
• pursue legal remedies;
• cooperate with regulators;
• cooperate with third-party providers.

Trepy may take enforcement action where reasonably necessary to:

• protect users;
• maintain platform integrity;
• reduce operational risks;
• comply with legal obligations.

13. NO WAIVER OF LEGAL RIGHTS

This Security Policy does not:

• grant authorization to access systems unlawfully;
• waive legal claims;
• waive criminal claims;
• waive civil claims;
• create immunity from enforcement;
• create contractual rights;
• create employment or partnership relationships.

Trepy reserves all legal rights and remedies.

14. DISCLAIMERS

THE PLATFORM IS PROVIDED “AS IS” AND “AS AVAILABLE.”

Trepy does not guarantee:

• uninterrupted security;
• uninterrupted availability;
• prevention of all attacks;
• prevention of all vulnerabilities;
• uninterrupted monitoring;
• immediate remediation of all reported issues.

Trepy reserves discretion regarding:

• investigation priorities;
• remediation timing;
• operational responses;
• enforcement actions.

15. LIMITATION OF LIABILITY

TO THE MAXIMUM EXTENT PERMITTED BY LAW, TREPY SHALL NOT BE LIABLE FOR:

• security incidents;
• infrastructure interruptions;
• third-party attacks;
• provider outages;
• vulnerability disclosures;
• operational interruptions;
• indirect damages;
• incidental damages;
• consequential damages;
• punitive damages;
• lost profits;
• reputational harm.

Certain jurisdictions may not allow some limitations.

16. INDEMNIFICATION

Users, researchers, Organizers, Sellers, Treps, and commercial users agree to defend, indemnify, and hold harmless Trepy and its affiliates, officers, directors, employees, contractors, agents, and partners from claims, liabilities, damages, losses, costs, and expenses arising from:

• unauthorized testing;
• prohibited activity;
• unlawful access;
• infrastructure abuse;
• data misuse;
• security violations;
• violations of law;
• violations of this Security Policy.

17. GOVERNING LAW

This Security Policy shall be governed by the laws of the State of Georgia without regard to conflict-of-law principles.

The Federal Arbitration Act governs interpretation and enforcement of arbitration provisions.

18. BINDING ARBITRATION

Except where prohibited by law, disputes arising out of or relating to security research, vulnerability reporting, platform access, enforcement actions, or related platform activity shall be resolved exclusively through final and binding individual arbitration.

The arbitration agreement is governed by the Federal Arbitration Act.

Either party may seek temporary injunctive relief where reasonably necessary.

19. CLASS ACTION WAIVER

TO THE MAXIMUM EXTENT PERMITTED BY LAW:

• claims may only be brought individually;
• class actions are waived;
• representative proceedings are waived;
• collective proceedings are waived;
• consolidated proceedings are waived.

The arbitrator may not consolidate claims or preside over representative proceedings.

20. MODIFICATIONS TO THIS POLICY

Trepy may update this Security Policy from time to time.

Updated versions may be posted through the platform.

Continued use of Trepy after updates may constitute acceptance of revised terms.

21. CONTACT INFORMATION

Trepy

Website:

• Trepy Website

Application:

• Trepy App

Additional security-reporting contact methods may be provided through the platform.