Security & Compliance
Last updated: December 3, 2025
This document outlines our commitment to safeguarding the security and privacy of the data you entrust to us. Here, you will find detailed information about how we host and manage our services, our compliance with international security standards, our data protection practices, and the measures we take to ensure the integrity and availability of our systems.
Hosting Infrastructure
Our application components are hosted across multiple services:
- Vercel - Hosts our application and serves our web pages
- Supabase - Manages user authentication and data storage
- OpenAI - Processes AI requests for time management features
- Baseten - Provides AI model hosting via Vercel AI Gateway
Authentication and Access Control
Users can access our Services using secure email/password authentication. We implement:
- Secure password requirements
- Session management with automatic renewal
- Invalid password lockout policy
- Encrypted session tokens
Currently, we do not support Two-Factor Authentication (2FA), but we recommend using strong, unique passwords for your account.
Data Encryption
Data in Transit: All data transmitted between your device and our servers is encrypted using industry-standard SSL/TLS protocols. This applies to all communications, including calendar data, AI interactions, and account information.
Data at Rest: Data stored on our systems is encrypted at rest using industry-standard encryption algorithms provided by our infrastructure partners. Supabase encrypts all data at rest using AES-256 encryption. Data is safeguarded through strong authentication protocols and access controls.
Compliance Certifications
Our servers and infrastructure providers are compliant with major security standards:
| Provider | Certifications |
|---|---|
| Vercel | SOC 2 Type 2, ISO 27001 |
| Supabase | SOC 2 Type 2, GDPR compliant |
| OpenAI | SOC 2 Type 2, ISO 27001 |
| Baseten | SOC 2 Type 2, HIPAA compliant |
Data Storage and Location
Primary Data: User data, calendar events, and time-tracking information are stored in the European Union with Supabase. All data is stored in EU data centers to ensure GDPR compliance.
Backups: Supabase provides automated backups as part of their service to ensure data availability and disaster recovery. Backups are retained according to Supabase's backup retention policies.
Backup and Recovery
Our data recovery strategy includes:
- Automated Backups: Supabase provides automated backups of all user data with point-in-time recovery capabilities
- Disaster Recovery: We rely on Supabase's disaster recovery procedures to restore service in case of incidents. Supabase maintains redundancy to ensure high availability
- Backup Retention: Backups are retained according to Supabase's standard retention policies to ensure data recovery when needed
Data Deletion
When you delete your account or specific data:
- Data is flagged for deletion immediately
- Removed from active systems as soon as practicable, typically within 30 days
- Purged from all backups typically within 90 days
Security Practices
Access Control
Access to live user data is strictly limited to authorized personnel who require it to provide and maintain the Service.
Monitoring and Incident Response
We monitor our systems for potential security threats and have procedures in place to:
- Detect security incidents promptly
- Respond to and mitigate threats
- Notify affected users when required
- Implement improvements to prevent recurrence
System Integrity
We use automated testing to help ensure the integrity of critical functions. Our infrastructure providers maintain redundancy to support service availability and ensure high uptime.
Third-Party Security
All third-party service providers we work with must meet our security standards and are contractually bound to protect your data. We review our service providers' security practices and compliance status as needed.
Reporting Security Issues
If you discover a security vulnerability or have security-related concerns, please report them immediately:
We take all security reports seriously and will investigate and address them in a timely manner.
Updates to This Document
We may update this Security & Compliance document as our practices evolve and improve. As a beta service, changes will be posted on this page with an updated date.
For detailed information about how we collect, use, and protect your personal data, please see our Privacy Policy.