Child Privacy

To protect the data the races who use us as their online registration platform, we have made some updates to your race, event and club websites to better protect the online privacy of children, particularly those under the age of 13. Our updates are designed with the Children’s Online Privacy Protection Rule (“COPPA”) in mind and are designed to reasonably determine when we collect information about a child for a registration that we are collecting it from their parents.

Screen Shot 2017-10-05 at 10.46.26 AMThe first change you will notice is an update in the registration path. The first step of registering for a race will now ask if you are over 18 and either registering yourself or someone else over the age of 18. If you are registering someone under the age of 18 the click box will have you confirm that you are the parent or guardian of the person you are registering and that you are giving us permission to collect the information you provide about your child for the registration.

Secondly the profile we create for the child from the registration process will be a sub-account of the parent’s profile. We will store the full name and address for the child as well as other information used for race results. However, we will only store the parents email address and phone number as the contact information for the child. Our necessary communications to the child (such as a registration confirmation) will always be to the parents email address.

Screen Shot 2017-09-20 at 2.35.04 PMWhenever the child’s information is shown on a public facing part of the site, such as in a participant search or in results the name will be shown in a truncated version (first initial and last name) and will not be shown with other identifying information like their street address.

This is also true for our API – we deliver only the first initial of the first name to scoring and results software in addition to other applications accessing participant information.

In addition, for our Photo Platform, it is now required to have a date of birth in the profile that indicates you are at least 18 years old in order to upload photos.

Further, we log the following each time someone is authorized to upload a photo:

  • User ID
  • Reported Age
  • Access Timestamp

Finally we have updated the Children’s Privacy section of our Privacy Policy to include our new processes.

We would also like to take this opportunity to remind Race Owners, Race Directors, Timers, Partners and others who can access and download participant data from our site of your obligation to protect that data. It is your responsibility to restrict access to your RunSignUp account to only those that need to have access to your data. Further once data is downloaded from our site it is your responsibility to protect the security of that data and for your security and privacy policies to comply with applicable regulations like COPPA.

Dashboard Graphs Secure Access

The front Dashboard will become much more powerful in the coming weeks with over a dozen different graphical reports being added. To prepare for this, we have added specific access management for just the Dashboard. To invite others to get access to dashboard graphs, click on the lock in the upper right corner:
Screen Shot 2017-08-18 at 4.01.39 PM.png

This will show a list of people with access and a button to add people:
Screen Shot 2017-08-18 at 5.29.31 PM.png

This brings up a page that allows you to turn on access to groups of pages or specific pages:

Screen Shot 2017-08-18 at 5.29.54 PM.png

Users who do not have access to a page also have a way to ask for permission to access that page that is sent to the race director(s).

RunSignUp Demonstrates Continued Commitment to Secure Data and Transaction Processing with new Leadership Role

The Electronic Transactions Association (ETA) announced today the launch of a new Payment Facilitator Committee, with Kevin Harris (RunSignUp Chief Finance and Operations Officer) taking the role of Vice-Chair. ETA Press Release: http://www.electran.org/publication/transactiontrends/eta-announces-new-payments-facilitator-committee/

As noted in the release, the committee “will serve as a resource within ETA as the established, valued experts on payment facilitators, enabling deeper discussions on emerging industry challenges and assessing opportunities. The committee will also serve to consider public policy matters that may affect this constituency.”

As one of only a few hundred registered payment facilitators RunSignUp has taken steps as a company to meet stringent security, banking, VISA and MasterCard processing rules to become an authorized intermediary (Payment Facilitator) between credit card holders (registrants) and races . As such, when transactions are settled for your race, the race proceeds are held in escrow for your benefit with our back end credit card processing company. Funds transfers to you happen accurately and on time by either ACH or check, based on the frequency of payment that you request.

We became a payment facilitator to ensure that we were complying with financial rules and because we think it is the best way to handle your funds. It addresses the need to be able to quickly onboard smaller sub-merchants and allows businesses like RunSignUp to enable commerce between the buyers and sellers of services. We are pleased to see this secure form of online commerce grow and are proud to have one of our employees take a leadership role in shaping the industry.

Becoming a Payment Facilitator and recently achieving PCI Level 1 compliance are key pieces to our secure data and transaction processing. You can read about all the ways that we keep your data private and secure here.

A few things to look for in evaluating data security and transaction processing in a race technology provider:

  • Does the provider have secure, scalable technology?
  • Are they PCI Level 1 compliant with independent auditors?
  • Do they keep your race funds separate from the funds that they use to operate their business?
  • Do they have a privacy policy for how they will collect, store, and share data?
  • Will they use participant data to market or sell unrelated events, subscriptions, or other items to your race participants?
  • Do they have a proven track record in the industry?

Security Updates – Dirty COW

Screen Shot 2016-11-09 at 8.03.43 AM.pngWe have installed the patches for the “Dirty COW“, the privilege escalation vulnerability in the Linux Kernel. They even have a logo for it.

The AWS patches are here. If you use other systems that run on Linux, you should check to make sure these changes are made:

https://alas.aws.amazon.com/ALAS-2016-757.html

https://alas.aws.amazon.com/ALAS-2016-758.html

http/2 Support

fast-ron.pngWe have been doing a lot of infrastructure improvements over the past couple of months as a part of our PCI Level 1 Certification.  That is the highest level and requires extra measures of auditing and security and scanning, including a week onsite visit by a Qualified Security Assessor. Unfortunately most of that is stuff we can not talk about.

The one thing we can do is talk about the http/2 support that Amazon CloudFront has recently released and we are rolling out. http/2 is a major upgrade to base protocol between browsers and websites.

While there is a lot of complex technology, the simple result is that pages will load faster and response time will go down even further (that’s why we put the “Fast Ron Synup” image on this blog). Remember, fast websites are among the most important metrics that keep people on your race website and get them thru registration completely.

Security Patch

Screen Shot 2016-07-14 at 6.51.20 PMWe updated our site with this security patch – https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/.

Other webmasters may want to run the free Qualys SSL scanning tool to check their grades – https://www.ssllabs.com/ssltest/index.html. Users can also check out their most common websites as well (proud to say RunSignUp beat the bank I use :-))