Last updated January 16, 2023
We value your data and are committed to keeping it safe and secure. This document outlines some of the ways handle your data with care in transit and at rest.
We are a small (but mighty!) team. Here are some of the best practices we’ve adopted:
When users sign up for SavvyCal, we create a user record in our database that includes:
If the user chooses to authenticate via an OAuth partner (Google, Microsoft, or Fastmail), then we will store encrypted credentials for the associated account (OAuth access token and refresh token) and associate that record with their user account.
When a user signs in, we generate an encrypted session token stored in browser cookies.
All application pages are encrypted with TLS 1.3 via certificates managed by Fly.io, our infrastructure provider.
When a user connects an third-party application, such as their Google, Microsoft, Fastmail, Apple, Stripe, or Zoom account, we encrypt access tokens before persisting them to our database.
Learn more about their security practices:
Users typically connect one or more calendar accounts (such as Google Calendar) and video conferencing providers (such as Zoom), to allow SavvyCal to create calendar events and conferencing sessions on their behalf, and factor in times when they are already busy on scheduling links. We only store the minimum required data to access these accounts and use them for their intended purposes. We never store calendar event data in our persistent data stores.
Application logs are stored in Logflare and retained for 30 days. All data sent to Logflare is encrypted in transit.
We value shipping software a high-velocity, but no so fast we sacrifice quality or, most importantly, data security. All code is subject to peer review via GitHub Pull Requests. We maintain a rigorous automated test suite and linters that is enforced via continuous integration before deployment.
No. We query calendars you choose to use for conflict checking in (near) real-time when a scheduler uses your scheduling link. At time of writing, we cache the results of queries for calendar events in application memory (not in any persisted storage) for up to 1 minute.
While we’d eventually love to achieve these certifications, we don’t hold them at this time. Our core infrastructure providers do hold these certifications, though.
Please email us at firstname.lastname@example.org! We do not provide compensation for independent reports at this time.