Trust
Security at Slotly
A minimal, modern stack is the strongest argument we can make. Here's what protects your calendar and your guests.
Encryption everywhere
TLS 1.3 in transit. AES-256 at rest via Supabase managed Postgres. Auth cookies are httpOnly and signed.
Auth that doesn't roll its own crypto
Supabase Auth handles password hashing (bcrypt), JWTs, and OAuth handshakes. We don't store raw passwords.
Minimal infrastructure
Vercel (Next.js runtime + edge) + Supabase (Postgres + Auth). Both SOC 2 Type II. Region-pinned to us-east-1.
Least privilege
Database access is server-only via Prisma with a single connection string in Vercel encrypted env. No anon-role table access — Row Level Security on by default.
Audit trail
Every code change is reviewed and shipped via GitHub + Vercel. Migrations are tracked in supabase_migrations. Production logs are retained for 7 days.
Incident response
We commit to acknowledging security reports within 24 hours and patching critical issues within 7 days. Customers are notified of breaches within 72 hours per GDPR.
Found a vulnerability?
We appreciate responsible disclosure. Email security@getslotly.io with reproduction steps and we'll respond within 24 hours. Please don't run automated scanners against production — they trip our rate limits.
For compliance documentation (SOC 2 reports from our subprocessors, DPA, security questionnaires), see /legal/dpa or contact hello@getslotly.io.