Security
ScholarCal is built with security as a core requirement, not an afterthought. Here is how we protect your data.
Encryption
All data is encrypted in transit (TLS 1.2+) and at rest. Database-level encryption via Supabase infrastructure.
OAuth-Based Linking
Calendar connections use OAuth 2.0 — we never ask for or store your third-party passwords.
Row-Level Security
Every database query is scoped to your user ID via Supabase RLS policies. No user can access another's data.
Audit Logging
Event creation, updates, and deletions are logged in the audit_events table with timestamps and source tracking.
Token Refresh
OAuth tokens are refreshed automatically with optimistic locking to prevent race conditions during concurrent syncs.
Disconnect = Delete
When you disconnect an integration, all associated tokens and sync state are deleted immediately.
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly. We appreciate your help in keeping ScholarCal safe.
How to Report
- Email security@scholarcal.com with a description of the vulnerability.
- Include steps to reproduce, impact assessment, and any proof-of-concept.
- We will acknowledge receipt within 48 hours and provide updates on remediation.
- Please do not publicly disclose the vulnerability until we have addressed it.
Access Controls
- All API routes require Supabase authentication via session cookies or API keys.
- Service-role access is limited to edge functions and server-side operations.
- Calendar feed tokens are unique per-user and can be regenerated at any time.
- Shared calendar access uses role-based permissions (owner, editor, viewer).