🛡️

Security Overview

Calendar Jet takes the security of your data seriously. Our application is designed with multiple layers of protection to ensure your calendar data, personal information, and integration credentials remain secure.

🔐TLS 1.2+ encryption for all data in transit

💾AES-256 encryption for data at rest

🔗OAuth 2.0 for third-party integrations

🛡️Row-Level Security (RLS) database policies

🔍Regular security audits and updates

✅SOC 2 Type II certified infrastructure

☁️

Infrastructure & Dependency Management

Calendar Jet is built on enterprise-grade, SOC 2 Type II certified infrastructure providers to ensure the highest levels of security and reliability.

SupabaseDatabase

SOC 2 Type II, ISO 27001

PostgreSQL database with AES-256 encryption at rest, automated backups, point-in-time recovery, and Row-Level Security (RLS) policies.

ClerkAuthentication

SOC 2 Type II

Enterprise-grade authentication with secure session management, JWT tokens, and multi-factor authentication support.

StripePayments

PCI-DSS Level 1, SOC 2

All payment data is handled directly by Stripe. Calendar Jet never stores credit card numbers or sensitive payment information.

🔒

Data Protection & Retention Policy

Data Encryption

•In Transit: All data encrypted using TLS 1.2 or higher
•At Rest: AES-256 encryption in Supabase database
•OAuth Tokens: Encrypted with Row-Level Security policies

Data Retention

Active Accounts

While active + 30 days

Booking History

12 months

OAuth Tokens

Until revoked

Backups

7 days

Data Minimization

We only collect and store data that is necessary for providing our scheduling services. We do not sell, share, or use your data for advertising purposes. Calendar data is never used for AI/ML model training.

🔍

Vulnerability Management Policy

Dependency Management

🔄

Automated Scanning

npm audit & GitHub Dependabot

⚡

Critical Patches

Applied within 24-48 hours

📅

Regular Updates

Weekly dependency updates

Code Security

All code changes reviewed before deployment
Input validation and sanitization on all user inputs
Protection against OWASP Top 10 (XSS, SQL Injection, CSRF)
Content Security Policy (CSP) headers implemented

Security Monitoring

Real-time monitoringApplication loggingAutomated alertsSupabase dashboardsClerk dashboards

🚨

Incident Management & Response

Incident Classification

Critical (P1)

Data breach, service outage, security exploit

Response: < 1 hour

High (P2)

Partial degradation, vulnerability found

Response: < 4 hours

Medium (P3)

Minor issues, non-critical bugs

Response: < 24 hours

Response Process

Detection

Monitoring, user report, or automated alert

Assessment

Evaluate scope and impact

Containment

Isolate affected systems

Resolution

Fix issue and restore operations

Notification

Inform users within 72 hours

Post-Mortem

Document and prevent recurrence

🔑

Access Control & Authentication

🔐

Secure Auth

Clerk authentication with email verification

🔗

OAuth 2.0

Google Calendar & Zoom (no passwords stored)

⏱️

Session Tokens

Automatic expiration for security

🛡️

Row-Level Security

Users can only access their own data

🚪

API Protection

Authentication middleware on all endpoints

👤

MFA Support

Multi-factor authentication available

✅

Compliance & Certifications

Infrastructure Certifications

Supabase: SOC 2 Type II, ISO 27001
Clerk: SOC 2 Type II
Stripe: PCI-DSS Level 1, SOC 2

Data Protection Compliance

GDPR compliant data handling
Google API Limited Use compliance
Zoom OAuth security requirements
Data processing in EU regions available

📧

Contact Security Team

If you discover a security vulnerability or have questions about our security practices, please contact us. We take all reports seriously and will respond within 24 hours.

🛡️

Security Issues

[email protected]

✉️

General Inquiries