SavvyCal Security

Last updated January 16, 2023

We value your data and are committed to keeping it safe and secure. This document outlines some of the ways handle your data with care in transit and at rest.

Organizational Security

We are a small (but mighty!) team. Here are some of the best practices we’ve adopted:

  • Access to servers, source code, and third-party tools is limited to core team members.
  • We use strong, randomly-generated passwords stored in a password manager (1Password).
  • Employees and contractors are given the lowest level of access that allows them to get their work done. This rarely includes access to production systems or data.
  • We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are aggressive about applying patches and deploying quickly.
  • We don’t copy production data to external devices (like personal laptops).

Authentication

When users sign up for SavvyCal, we create a user record in our database that includes:

  • First and last name
  • Email address
  • Hashed password (using bcrypt)

If the user chooses to authenticate via an OAuth partner (Google, Microsoft, or Fastmail), then we will store encrypted credentials for the associated account (OAuth access token and refresh token) and associate that record with their user account.

When a user signs in, we generate an encrypted session token stored in browser cookies.

Encryption

All application pages are encrypted with TLS 1.3 via certificates managed by Fly.io, our infrastructure provider.

When a user connects an third-party application, such as their Google, Microsoft, Fastmail, Apple, Stripe, or Zoom account, we encrypt access tokens before persisting them to our database.

Infrastructure

Our application is hosted with Fly.io, primarily in the IAD (Virginia, US) region. Our database is hosted with Crunchy Bridge on AWS in the us-east availability region.

Learn more about their security practices:

Third-Party Access

Users typically connect one or more calendar accounts (such as Google Calendar) and video conferencing providers (such as Zoom), to allow SavvyCal to create calendar events and conferencing sessions on their behalf, and factor in times when they are already busy on scheduling links. We only store the minimum required data to access these accounts and use them for their intended purposes. We never store calendar event data in our persistent data stores.

Logging

Application logs are stored in Logflare and retained for 30 days. All data sent to Logflare is encrypted in transit.

Software Development Practices

We value shipping software at a high-velocity, but not so fast we sacrifice quality or, most importantly, data security. All code is subject to peer review via GitHub Pull Requests. We maintain a rigorous automated test suite and linters that is enforced via continuous integration before deployment.

Learn more about our SSCLC processes →

FAQs

Do you store copies of my calendar events on your servers?

No. We query calendars you choose to use for conflict checking in (near) real-time when a scheduler uses your scheduling link. At time of writing, we cache the results of queries for calendar events in application memory (not in any persisted storage) for up to 1 minute.

Are you SOC 2 or ISO 27001 certified?

While we’d eventually love to achieve these certifications, we don’t hold them at this time. Our core infrastructure providers do hold these certifications, though.

How do I report a potential vulnerability or security concern?

Please email us at support@savvycal.com! We do not provide compensation for independent reports at this time.