Security
Protecting your data is our top priority. Here's how we keep your information safe.
Infrastructure Security
- Hosted on AWS with multi-availability-zone redundancy
- All data encrypted in transit using TLS 1.2+ (HTTPS everywhere)
- Database encryption at rest using AES-256
- Network isolation with VPC, private subnets, and security groups
- Automated backups with point-in-time recovery
- DDoS protection and web application firewall (WAF)
Authentication & Access Control
- Passwords hashed with bcrypt (cost factor 12) — never stored in plain text
- Multi-factor authentication (TOTP) with backup recovery codes
- OAuth 2.0 integration with Google and Microsoft (no password stored for SSO users)
- Session tokens with automatic expiration (7-day default)
- Account lockout after 5 failed login attempts (30-minute cooldown)
- Role-based access control (Owner, Admin, Manager, Member)
Data Protection
- OAuth tokens encrypted at rest using AES-256-GCM
- Calendar sync tokens stored with application-level encryption
- API keys hashed before storage (only prefix shown to users)
- Webhook secrets use HMAC-SHA256 for request verification
- Personal data deletion available upon request (GDPR compliant)
- Minimal data collection — we only store what's necessary
API Security
- Rate limiting to prevent abuse (configurable per endpoint)
- CORS restricted to authorized origins only
- Request validation and input sanitization on all endpoints
- JWT-based authentication with short-lived tokens
- CSRF protection via state parameters on OAuth flows
- Security headers (HSTS, X-Frame-Options, CSP) via Helmet.js
Compliance & Best Practices
- GDPR compliant — data access, portability, and deletion rights
- CCPA compliant — California consumer privacy rights supported
- Regular dependency updates and vulnerability scanning
- Principle of least privilege for all internal access
- Incident response plan with notification procedures
Report a Vulnerability
If you discover a security vulnerability, please report it responsibly by emailing security@karlendar.com. We appreciate responsible disclosure and will acknowledge your report within 48 hours.