Security & Compliance
CalFlow employs institutional data practices to isolate scheduling links, protect client files, and secure upfront transaction balances.
Data Isolation & Encryption
All account data, scheduling structures, and contact databases are hosted inside MongoDB instances with TLS 1.3 in-transit encryption and AES-256 at-rest disk encryption. Multi-tenant boundary rules isolate workspaces.
Isolated Attachments R2 Vaults
Client files uploaded during scheduling are immediately isolated inside private Cloudflare R2 object storage buckets. Files are accessed via temporary, presigned HTTP signatures generated programmatically only for verified hosts.
OAuth & Stripe Connections Privacy
We sync calendar data using secure OAuth 2.0 protocols without saving account credentials directly in our database. Payment checkouts are executed under Stripe's PCI-DSS compliant infrastructure, avoiding local storage of financial instruments.
SOC2 Compliance Boundaries
CalFlow's server logic, database structures, and Cloudflare routing are continuously monitored to satisfy SOC2 Type II security principles.