Trust Center

Built with your customers' data in mind.

This page is maintained by the Calign team to explain what we do to protect the businesses on our platform and the people who book with them. It is not a certification, and it describes controls that are enabled today.

Platform & hosting

Encryption in transit

All traffic between your browser, our servers, and our database is served over HTTPS/TLS. HSTS is preloaded so browsers refuse to talk to us over plain HTTP.

Encryption at rest

The managed Postgres database that stores your bookings, customers, and settings encrypts data on disk. Automated daily backups are also encrypted.

Isolated environments

Development, preview, and production run on separate infrastructure with separate secrets. Preview data never mixes with your live customer data.

Hardened HTTP responses

Every response ships with a strict set of browser security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) to block clickjacking, MIME sniffing, and referrer leaks.

Access & account control

Row-level security

Every table that holds business data is protected by row-level security in the database itself. A signed-in user can only read or change the rows their business owns — the rule is enforced at the database layer, not just in application code.

Leaked-password protection

When you or a teammate set a password, we check it against the Have I Been Pwned breach database and reject anything that has already leaked publicly.

Sign in with Google

You can require Google sign-in for you and your team, so account access rides on your existing Google security (2FA, hardware keys, admin recovery) instead of yet another password.

Role-based team access

Team members are added through invite codes tied to your business. Roles (owner, admin, worker) are stored server-side and checked on every privileged operation, so an ordinary teammate can't act as an owner even by hand-crafting a request.

Payments & customer data

Payments handled by Stripe

Card numbers, expiry dates, and CVCs are entered on Stripe-hosted fields and never touch Calign servers. We only receive the payment result and a payment ID we can use to look it up.

Customer data belongs to you

The customer records built up from your bookings are yours. You can export them at any time from the dashboard and remove individual customers on request.

Least-privilege reads

Public pages (your booking link, quote pages) only read the specific columns needed to render — never the full customer or booking record. Sensitive fields are only reachable by the signed-in business owner.

Verified webhooks

External callbacks from Stripe and Google are cryptographically verified before we act on them, so a spoofed request can't create bookings, mark payments as received, or change your calendar.

Operational practices

Minimal server-side logging

We log what's needed to keep the service running and to help you when something breaks. We don't log passwords, card details, or the bodies of customer messages.

Input validation on every write

Every server endpoint validates its input with a schema — required fields, length limits, format checks — before touching the database, which shuts down whole classes of injection and abuse.

Secrets stay server-side

API keys, service-role credentials, and signing secrets are stored server-side only. They are never bundled into the JavaScript that runs in your customers' browsers.

Backups & recovery

The managed database performs automated daily backups with point-in-time recovery, so we can restore your data if something goes wrong on our side.

Report a security issue

If you believe you've found a vulnerability in Calign, email security@calign-ai.com with steps to reproduce. Please don't test against real customer data or run automated scanners; give us a reasonable window to respond before any public disclosure.

This page describes controls that are enabled today and is not a certification. Nothing on this page is legal advice. For questions about how we handle your data, see our Privacy page.

Try Calign with confidence.

Free forever plan. No card required. Cancel anytime.

Get started