Security at Simple Scheduler

Where your data lives

The Simple Scheduler database is hosted on Supabase, a managed Postgres provider that runs on Amazon Web Services. Our project lives in a United States region and the marketing and application servers run on Vercel from the US East (iad1) region. We do not move data outside the United States in the normal course of business.

Supabase manages the underlying Postgres engine, daily backups, point-in-time recovery on supported plans, network isolation, and encryption-at-rest using AWS-managed keys. The platform's own SOC 2 Type II report and HIPAA posture cover the storage layer beneath us.

Encryption in transit and at rest

Every request between your browser, our Vercel functions, and the Supabase API uses HTTPS with TLS 1.2 or higher. Strict-Transport-Security headers are sent on every response, so modern browsers refuse to downgrade the connection.

Data at rest in Postgres is encrypted by Supabase using AWS-managed keys. Files uploaded to Supabase Storage (logos, customer attachments) inherit the same encryption-at-rest defaults and are gated by signed URLs with short expirations.

Access control and authorization

Multi-tenancy is enforced at the database layer via Postgres row-level security. Every tenant table includes an RLS policy that calls our reusable is_member_of(tenant_id) or has_role_in(tenant_id, roles) helpers, so a query for a tenant a user does not belong to returns zero rows even if the application code accidentally forgets to filter.

Roles inside a tenant (admin, staff, view_only, customer) are issued via the JWT custom access token hook, then double-checked at the database layer against tenant_memberships. The database is the source of truth: a stale JWT cannot bypass a revoked membership.

Platform-operator (super_admin) access lives in a separate platform_admins table with its own gating route group at /super-admin. A tenant admin cannot escalate to super-admin from inside the app, the grant requires direct intervention.

Authentication

Sign-in is handled by Supabase Auth. Three flows are live today: email and password, magic-link sign-in via single-use tokens delivered through Resend, and password recovery via verified email. Every transactional auth email is sent from noreply@simplescheduler.com on a verified sending domain with SPF, DKIM, and DMARC alignment.

Multi-factor authentication is on the roadmap. Supabase Auth supports TOTP-based MFA at the platform level, and operator-facing enrollment is staged for a future release. Until that ships we recommend long, unique passwords stored in a password manager and a strict policy on shared accounts (do not share them).

Payment security

All payment capture is delegated to Stripe. The signup flow uses the Stripe Payment Element, which renders inside an iframe served by Stripe; card numbers and CVCs are submitted directly to Stripe and never traverse Simple Scheduler infrastructure. Recurring subscriptions, invoicing, and the customer portal all use Stripe-hosted surfaces for the same reason.

We store only the Stripe customer reference, the subscription identifier, and the last four digits Stripe returns to us. We do not see, log, or persist full PANs or CVCs at any point. That keeps the PCI compliance surface with Stripe (a Level 1 service provider) and out of our application.

Audit logging and observability

Sensitive admin actions, including user invites, role changes, plan changes, tenant suspensions, and data exports, write a structured row to an append-only audit_log table with the actor, tenant, action, target, IP address, user agent, and JSON metadata. Platform operators review the log from /super-admin/audit with filters by tenant, actor, action, and date range.

Application errors and slow requests are sent to Sentry (US region) for incident triage. We do not log full request bodies that contain customer PII, and we redact email addresses, phone numbers, and address fields before they reach the logger.

Backups and disaster recovery

The Supabase platform takes automated daily backups of every project, with point-in-time recovery on supported plans. We do not maintain a separate, redundant snapshot pipeline; the platform-managed backups are our recovery surface and they are tested by Supabase as part of their own continuity program.

We do not delete your data on plan downgrade or trial expiration. Account closure deletes your tenant after a grace period in line with the deletion request, and a final export is sent on request before deletion completes.

Compliance posture

We are honest about where we are. SOC 2 Type II readiness is in progress and not yet complete; in the meantime our infrastructure providers (Supabase, AWS, Vercel, Stripe, Resend, Sentry) carry their own SOC 2 Type II attestations, and we follow the same control families those audits enforce: encryption, least-privilege access, audit logging, change management, and incident response.

We honor data-subject rights under GDPR (access, rectification, deletion, portability) and the same rights under CCPA for California residents. To exercise any of those rights, email info@simplescheduler.com from the address associated with your account and we will respond within thirty days.

We are not currently HIPAA-compliant and do not sign Business Associate Agreements. Do not store protected health information (PHI) in Simple Scheduler.

Reporting a security issue

If you believe you have found a security vulnerability, email security@simplescheduler.com with a description, steps to reproduce, and any relevant logs or screenshots. If that mailbox bounces or you do not get a response within one business day, send the same report to info@simplescheduler.com.

Please do not publicly disclose the issue before we have had a chance to acknowledge and remediate it. We do not currently run a paid bug bounty, but we will publicly credit researchers who report responsibly and request acknowledgement.