Security posture
This page describes the security controls currently enabled on Smart Scheduler AI. It is not an independent certification - treat it as our public statement of practice, co-owned with our customers under a shared-responsibility model.
Data residency
Your Smart Scheduler AI data is hosted in Sydney, Australia on Lovable Cloud (Supabase infrastructure). Backups stay in-region.
Row-level security
Every public table has explicit RLS policies plus GRANTs. User roles live in a dedicated `user_roles` table with security-definer functions - never on profile records.
OAuth token encryption
Per-user calendar OAuth tokens (Google, Microsoft) are encrypted at rest with an application-level key held only in server-side environment variables.
MCP access control
The MCP server at /mcp is OAuth 2.1 gated via Supabase. Write tools additionally require an owner or admin role on the requested organisation.
Webhook signature verification
Every public webhook endpoint (Paddle, calendar providers) verifies the provider signature with timing-safe comparison before performing any write.
Quarterly restore drills
We run a documented restore drill every quarter and log the results in an audit table. Failure to drill blocks the release checklist.
Notification sandbox
Demo, reviewer, and internal tenants are hard-blocked from sending real SMS or email at the provider layer. Test-mode banners appear on every payment surface.
Vulnerability reporting
Responsible disclosure: email security@smart-scheduler.com. We respond within 3 business days and coordinate a fix window before public disclosure.