PagerSCHEDULE
← Back to home

Security Policy

Last updated: May 2026

Security is foundational to PagerSchedule. We protect your scheduling data with industry-standard technical and organisational measures. This page describes our security practices in detail.

1. Our Commitment

We believe that scheduling software handles sensitive professional information — who you meet, when, and why. We take this responsibility seriously. Our security programme is designed to protect your data from unauthorised access, disclosure, alteration, and destruction.

We continuously review and improve our security posture. All security measures described here are active protections in production.

2. Infrastructure Security

Hosting

  • PagerSchedule is hosted on Vercel, which maintains SOC 2 Type II certification and implements comprehensive physical and logical security controls
  • Our database runs on enterprise-grade PostgreSQL infrastructure in the European Union
  • All infrastructure is isolated within private networks with controlled ingress and egress

Network Security

  • DDoS protection via Vercel's global edge network
  • Web Application Firewall (WAF) for protection against common web attacks
  • Rate limiting applied at the edge to prevent abuse
  • All external-facing services run exclusively over HTTPS
  • Security headers applied on all responses (HSTS, CSP, X-Frame-Options, etc.)

Data Location

  • Primary data storage located within the European Union
  • Data at rest does not leave EU infrastructure without appropriate safeguards
  • Some sub-processors process data outside the EU — see our Privacy Policy for details

3. Data Encryption

Data in Transit

  • All communications between your browser and PagerSchedule are encrypted using TLS 1.2 or higher
  • TLS 1.0 and 1.1 are disabled. We regularly review and update our cipher suites to use only strong, modern algorithms
  • HSTS (HTTP Strict Transport Security) is enforced to prevent downgrade attacks

Data at Rest

  • All data stored in our database is encrypted at rest using AES-256
  • Database encryption keys are managed separately from the data they protect
  • Backups are encrypted before storage

Sensitive Credentials

  • Passwords are hashed using bcrypt with a high work factor — they are mathematically irreversible and never stored in plain text
  • API keys and calendar OAuth tokens are encrypted in the database using AES-256 before storage
  • Two-factor authentication backup codes are stored encrypted

4. Authentication Security

  • Two-factor authentication (2FA): Available for all accounts via authenticator app (TOTP), email code, or SMS. We strongly recommend enabling 2FA
  • Account lockout: Accounts are automatically locked after repeated failed login attempts to prevent brute-force attacks
  • Secure session management: Sessions are cryptographically signed, expire automatically, and are invalidated on logout or password change
  • OAuth 2.0: Social login (Google, Microsoft) uses industry-standard OAuth 2.0 flows. We never see or store your Google or Microsoft password
  • CSRF protection: All state-changing requests are protected against cross-site request forgery
  • Secure cookies: Session tokens are set with HttpOnly, Secure, and SameSite attributes

5. Application Security

  • SQL injection prevention: All database queries use parameterised statements via Prisma ORM — raw SQL is never constructed from user input
  • XSS protection: User-generated content is sanitised and escaped before rendering. Content Security Policy headers restrict script execution
  • Input validation: All API inputs are validated and type-checked using Zod schema validation before processing
  • Rate limiting: API endpoints are rate-limited to prevent abuse and denial-of-service attempts
  • Dependency management: We monitor dependencies for known vulnerabilities using automated scanning tools and apply security patches promptly
  • Security headers: Comprehensive HTTP security headers are applied to all responses

6. Access Controls

  • Role-based access control (RBAC) restricts what each user can see and do
  • Team members can only access data within their team — cross-team data access is blocked at the application layer
  • All administrative actions (account changes, data exports, team management) are recorded in audit logs
  • PagerSchedule employee access to production systems follows the principle of least privilege — staff only have access to the minimum data needed for their role
  • Production access is subject to multi-factor authentication
  • Access privileges are reviewed and revoked when no longer required

7. Monitoring and Incident Response

  • 24/7 error monitoring: All application errors are captured and alerted via Sentry, with automated escalation for critical issues
  • Uptime monitoring: Service availability is checked every 5 minutes from multiple geographic locations
  • Anomaly detection: Unusual access patterns, login spikes, and suspicious activity trigger automated alerts
  • Incident response plan: We maintain a documented security incident response procedure with defined escalation paths and communication timelines
  • Data breach notification: In the event of a breach affecting your data, we will notify you within 72 hours as required by GDPR

8. Backup and Recovery

  • Automated database backups run daily
  • Backups are retained for 30 days
  • All backups are encrypted before storage
  • Backup restoration is tested regularly to verify integrity
  • Our recovery time objective (RTO) for major incidents is 4 hours
  • Our recovery point objective (RPO) is 24 hours (maximum data loss in a worst-case scenario)

9. Responsible Vulnerability Disclosure

Found a security issue?

Please report it to security@pagerschedule.com. We aim to acknowledge all reports within 24 hours and provide a remediation timeline within 5 business days.

We ask that you:

  • Give us reasonable time to investigate and fix the issue before public disclosure
  • Do not access or modify data that does not belong to you
  • Do not perform denial-of-service testing
  • Act in good faith

We do not pursue legal action against researchers who act in good faith in accordance with this policy. We are committed to working collaboratively with the security community to keep PagerSchedule secure.

10. Compliance and Certifications

  • GDPR compliant: We comply with the EU General Data Protection Regulation and UK GDPR — see our Privacy Policy
  • SOC 2: We are working towards SOC 2 Type II certification. Our infrastructure provider (Vercel) is SOC 2 Type II certified
  • Encryption standards: We follow NIST guidelines for cryptographic standards

Enterprise customers may request our security questionnaire or data processing addendum by emailing legal@pagerschedule.com.