Trust

Security at Slotly

A minimal, modern stack is the strongest argument we can make. Here's what protects your calendar and your guests.

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest via Supabase managed Postgres. Auth cookies are httpOnly and signed.

Auth that doesn't roll its own crypto

Supabase Auth handles password hashing (bcrypt), JWTs, and OAuth handshakes. We don't store raw passwords.

Minimal infrastructure

Vercel (Next.js runtime + edge) + Supabase (Postgres + Auth). Both SOC 2 Type II. Region-pinned to us-east-1.

Least privilege

Database access is server-only via Prisma with a single connection string in Vercel encrypted env. No anon-role table access — Row Level Security on by default.

Audit trail

Every code change is reviewed and shipped via GitHub + Vercel. Migrations are tracked in supabase_migrations. Production logs are retained for 7 days.

Incident response

We commit to acknowledging security reports within 24 hours and patching critical issues within 7 days. Customers are notified of breaches within 72 hours per GDPR.

Found a vulnerability?

We appreciate responsible disclosure. Email security@getslotly.io with reproduction steps and we'll respond within 24 hours. Please don't run automated scanners against production — they trip our rate limits.

For compliance documentation (SOC 2 reports from our subprocessors, DPA, security questionnaires), see /legal/dpa or contact hello@getslotly.io.