Security

Protecting your data is our top priority. Here's how we keep your information safe.

Infrastructure Security

  • Hosted on AWS with multi-availability-zone redundancy
  • All data encrypted in transit using TLS 1.2+ (HTTPS everywhere)
  • Database encryption at rest using AES-256
  • Network isolation with VPC, private subnets, and security groups
  • Automated backups with point-in-time recovery
  • DDoS protection and web application firewall (WAF)

Authentication & Access Control

  • Passwords hashed with bcrypt (cost factor 12) — never stored in plain text
  • Multi-factor authentication (TOTP) with backup recovery codes
  • OAuth 2.0 integration with Google and Microsoft (no password stored for SSO users)
  • Session tokens with automatic expiration (7-day default)
  • Account lockout after 5 failed login attempts (30-minute cooldown)
  • Role-based access control (Owner, Admin, Manager, Member)

Data Protection

  • OAuth tokens encrypted at rest using AES-256-GCM
  • Calendar sync tokens stored with application-level encryption
  • API keys hashed before storage (only prefix shown to users)
  • Webhook secrets use HMAC-SHA256 for request verification
  • Personal data deletion available upon request (GDPR compliant)
  • Minimal data collection — we only store what's necessary

API Security

  • Rate limiting to prevent abuse (configurable per endpoint)
  • CORS restricted to authorized origins only
  • Request validation and input sanitization on all endpoints
  • JWT-based authentication with short-lived tokens
  • CSRF protection via state parameters on OAuth flows
  • Security headers (HSTS, X-Frame-Options, CSP) via Helmet.js

Compliance & Best Practices

  • GDPR compliant — data access, portability, and deletion rights
  • CCPA compliant — California consumer privacy rights supported
  • Regular dependency updates and vulnerability scanning
  • Principle of least privilege for all internal access
  • Incident response plan with notification procedures

Report a Vulnerability

If you discover a security vulnerability, please report it responsibly by emailing security@karlendar.com. We appreciate responsible disclosure and will acknowledge your report within 48 hours.