Security at Simple Scheduler.

Where your data lives

Simple Scheduler is hosted on enterprise-grade cloud infrastructure in the United States. We do not move your data outside the U.S. in the normal course of business. Our hosting partners operate to recognized security and compliance standards, including SOC 2 Type II, and handle the physical, network, and platform layers of our stack.

Encryption in transit and at rest

All traffic between your browser and Simple Scheduler is protected with modern TLS, and strict transport security headers prevent downgrade attempts. Data at rest is encrypted using industry-standard ciphers and managed keys, and any files you upload inherit the same encryption defaults and are gated by short-lived signed URLs.

Access control and workspace isolation

Every workspace is logically isolated from every other workspace. Authorization is enforced at the storage layer, not just in the application — so a signed-in user can only ever see and act on the data that belongs to a workspace they are a member of, with the role they have been granted.

Roles inside a workspace follow the principle of least privilege. Internal staff access is scoped, logged, and reviewed; nobody on our team has standing access to your data without a documented business reason.

Authentication

Sign-in supports email and password with strong-hash storage, magic-link sign-in via single-use tokens, and password recovery through a verified email address. Authentication emails are sent from a verified sending domain with SPF, DKIM, and DMARC alignment.

Multi-factor authentication (MFA) is on our roadmap. In the meantime we recommend long, unique passwords stored in a password manager and avoiding shared accounts.

Payment security

All payment capture is delegated to a PCI Level 1 service provider using their hosted payment surfaces. Card numbers, CVCs, and full PANs never traverse Simple Scheduler infrastructure. We retain only the tokenized references and the last four digits required to show your billing history.

Audit logging and monitoring

Sensitive workspace events — invites, role changes, plan changes, suspensions, exports — are recorded to a tamper-evident audit trail with the actor, action, target, and metadata. Application errors and slow requests are sent to our incident-triage tooling, with personal information redacted before it ever reaches our logs.

Backups and disaster recovery

Automated daily backups of your data are taken by our infrastructure platform, with point-in-time recovery available on supported tiers. We do not delete your data on plan downgrade or trial expiration; deletion only happens on explicit account-closure request, and a final export is offered before deletion completes.

Compliance posture

We follow the same control families that SOC 2 audits enforce — encryption, least-privilege access, audit logging, change management, and incident response — and SOC 2 Type II readiness is in progress on our side. Our infrastructure providers already carry their own SOC 2 Type II attestations covering the layers beneath us.

We honor data-subject rights under GDPR (access, rectification, deletion, portability) and the equivalent rights under CCPA for California residents. To exercise any of those rights, email info@simplescheduler.com from the address associated with your account and we will respond within thirty days.

We are not currently HIPAA-compliant and do not sign Business Associate Agreements. Please do not store protected health information (PHI) in Simple Scheduler.

Reporting a security issue

If you believe you have found a security vulnerability, email security@simplescheduler.com with a description, steps to reproduce, and any relevant logs or screenshots. If that mailbox bounces or you do not get a response within one business day, send the same report to info@simplescheduler.com.

Please do not publicly disclose the issue before we have had a chance to acknowledge and remediate it. We do not currently run a paid bug bounty, but we will publicly credit researchers who report responsibly and request acknowledgement.