Security
A brief, plain-language summary of how AddCal protects customer data. For specific contractual questions, security questionnaires, or documentation for your review, email [email protected].
Compliance & standards
- SOC 2 Type II, not yet certified. It's on our roadmap, and we're building our security practices around the SOC 2 framework as we get there. We'll share the report under NDA once it's complete.
- GDPR, we act as data controller for your account data and as processor for the registration data you collect from attendees. We support data access, export, and deletion requests, and a Data Processing Agreement is available on request. See our Privacy Policy for details.
- PCI DSS, handled by Stripe. Card numbers never reach our systems.
- HIPAA, out of scope. We do not sign BAAs.
Data we store
Calendars, events, and the metadata you put on them. If you enable RSVPs, we also store the attendee names and email addresses you collect through your form. Customer data is logically separated per team, one team's data is never readable by another.
We don't store payment card details, special-category personal data, or any content you haven't deliberately put into the product.
Encryption
All traffic to AddCal is served over HTTPS using TLS 1.2 or higher. Databases, object storage, and backups are encrypted at rest using AWS KMS-managed keys. Encryption keys are scoped to our AWS account and never leave it.
Access control
Production access is restricted to a small set of named administrators on a need-to-have basis. Multi-factor authentication is enforced on every privileged surface, cloud console, source control, deployment.
Where customer support needs to view an account, we use a scoped impersonation feature that is audit-logged. Single sign-on for customer accounts is available on the Business plan.
Infrastructure & network
AddCal runs on AWS in the us-east-1 region (United States) as a serverless application on AWS Lambda. Each request runs in a short-lived, isolated environment built from a known image, there are no long-lived servers holding state between requests.
Databases, queues and other private resources sit inside a private VPC and are not reachable from the public internet. Only the application has access, via scoped IAM roles and security groups.
Backups & continuity
Production databases on AWS RDS have automated daily snapshots and point-in-time recovery, retained for one year. Object storage on S3 is versioned and durable. Backups are encrypted at rest and live inside our AWS account.
Measured uptime over the last 18 months is 99.97%.
Sub-processors
The third parties that process customer data on our behalf, each under a data processing agreement:
| Provider | Purpose | Region |
|---|---|---|
| AWS | Hosting, compute, database, storage, email (SES) | us-east-1 |
| Stripe | Payment processing | Global |
| Sentry | Application error monitoring | US |
| PostHog | Product analytics | US |
| Intercom | Customer support and messaging | US |
| Bento | Email and lifecycle communications | US |
Incident response
We maintain a documented incident response process to detect, triage, contain, and remediate security events. Where an incident affects (or is reasonably likely to affect) customer data, we notify affected customers within 24 hours of confirmation, then follow up as the investigation progresses.
Responsible disclosure is welcomed. Please don't run automated scans against live customer accounts without coordinating with us first.
Security documentation
On Enterprise plans, we can provide security and compliance documentation to support your review. Email [email protected] to tell us what your team needs.
Documents covered by NDA are sent within 24 hours of countersignature.
Contact
For any security or compliance question, vendor reviews, questionnaires, audit documentation, or suspected vulnerabilities, write to [email protected].