SolidCal Security

SolidCal Security

Last updated January 16, 2023

SolidCal values your data and treats security as a first-class feature. This overview highlights how we safeguard data in transit and at rest across the SolidCal platform.

Organizational Security

We’re a focused team with disciplined operational practices:

  • Production infrastructure, source code, and third-party admin consoles are restricted to the SolidCal core team.
  • We enforce randomly generated passwords stored in 1Password and require MFA wherever available.
  • Employees and contractors receive the minimum access required for their role, rarely including production data.
  • Automated dependency and vulnerability scanners alert us to known issues, and we patch aggressively.
  • We do not move production data to unsecured personal devices.

Authentication

When someone signs up for SolidCal’s SolidCal experience, we create a user record containing:

  • First and last name
  • Email address
  • Hashed password (bcrypt with per-user salts)

If a user authenticates via Google, Microsoft, Fastmail, or another OAuth partner, we store the encrypted access and refresh tokens necessary to maintain that connection. Session tokens are encrypted and stored in secure browser cookies during sign-in.

Encryption

All application traffic uses TLS 1.3 with certificates issued and managed by Fly.io. When users connect third-party services (Google, Microsoft, Fastmail, Apple, Stripe, Zoom, etc.), SolidCal encrypts their access tokens before persisting them in our database.

Infrastructure

SolidCal hosts its application on Fly.io, primarily in the IAD (Virginia, US) region, and relies on Crunchy Bridge on AWS (us-east) for PostgreSQL. These providers deliver managed security controls, redundancy, and compliance support.

Learn more about their practices:

Third-Party Access

Users typically connect calendar and conferencing accounts so SolidCal can create events on their behalf and surface real-time availability. We store only the minimum credentials needed to deliver these features and never persist calendar event bodies or attendee data in long-term storage.

Logging

Application logs are streamed to Logflare and retained for 30 days. Logs are encrypted in transit and access is restricted to authorized personnel for debugging and incident response.

Secure Development Lifecycle

Every code change goes through peer review on GitHub, automated testing, and linting before deployment. We favor rapid iteration without compromising security, and CI pipelines enforce quality gates to prevent unsafe releases.

Security FAQs

Do you store copies of my calendar events on your servers?

No. SolidCal queries the calendars that you explicitly connect for conflict checks in near real time when schedulers interact with your booking links. Results may be cached briefly in application memory (less than one minute) but are not persisted.

Are you SOC 2 or ISO 27001 certified?

SolidCal does not yet hold these certifications, but our primary infrastructure providers (Fly.io, AWS via Crunchy Bridge) maintain industry-recognized attestations. Certification is on our roadmap as we scale.

How do I report a potential vulnerability or security concern?

Email support@solidcal.com with a detailed description. While we do not currently offer a bounty program, we review every report promptly.

Report a Concern

If you believe you have discovered a security vulnerability or incident, email support@solidcal.com. While we do not currently offer a bounty, we review every report promptly.