Trust Center
Built with your customers' data in mind.
This page is maintained by the Calign team to explain what we do to protect the businesses on our platform and the people who book with them. It is not a certification, and it describes controls that are enabled today.
Platform & hosting
Encryption in transit
All traffic between your browser, our servers, and our database is served over HTTPS/TLS. HSTS is preloaded so browsers refuse to talk to us over plain HTTP.
Encryption at rest
The managed Postgres database that stores your bookings, customers, and settings encrypts data on disk. Automated daily backups are also encrypted.
Isolated environments
Development, preview, and production run on separate infrastructure with separate secrets. Preview data never mixes with your live customer data.
Hardened HTTP responses
Every response ships with a strict set of browser security headers (HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy) to block clickjacking, MIME sniffing, and referrer leaks.
Access & account control
Row-level security
Every table that holds business data is protected by row-level security in the database itself. A signed-in user can only read or change the rows their business owns — the rule is enforced at the database layer, not just in application code.
Leaked-password protection
When you or a teammate set a password, we check it against the Have I Been Pwned breach database and reject anything that has already leaked publicly.
Sign in with Google
You can require Google sign-in for you and your team, so account access rides on your existing Google security (2FA, hardware keys, admin recovery) instead of yet another password.
Role-based team access
Team members are added through invite codes tied to your business. Roles (owner, admin, worker) are stored server-side and checked on every privileged operation, so an ordinary teammate can't act as an owner even by hand-crafting a request.
Payments & customer data
Payments handled by Stripe
Card numbers, expiry dates, and CVCs are entered on Stripe-hosted fields and never touch Calign servers. We only receive the payment result and a payment ID we can use to look it up.
Customer data belongs to you
The customer records built up from your bookings are yours. You can export them at any time from the dashboard and remove individual customers on request.
Least-privilege reads
Public pages (your booking link, quote pages) only read the specific columns needed to render — never the full customer or booking record. Sensitive fields are only reachable by the signed-in business owner.
Verified webhooks
External callbacks from Stripe and Google are cryptographically verified before we act on them, so a spoofed request can't create bookings, mark payments as received, or change your calendar.
Operational practices
Minimal server-side logging
We log what's needed to keep the service running and to help you when something breaks. We don't log passwords, card details, or the bodies of customer messages.
Input validation on every write
Every server endpoint validates its input with a schema — required fields, length limits, format checks — before touching the database, which shuts down whole classes of injection and abuse.
Secrets stay server-side
API keys, service-role credentials, and signing secrets are stored server-side only. They are never bundled into the JavaScript that runs in your customers' browsers.
Backups & recovery
The managed database performs automated daily backups with point-in-time recovery, so we can restore your data if something goes wrong on our side.
Report a security issue
If you believe you've found a vulnerability in Calign, email security@calign-ai.com with steps to reproduce. Please don't test against real customer data or run automated scanners; give us a reasonable window to respond before any public disclosure.
This page describes controls that are enabled today and is not a certification. Nothing on this page is legal advice. For questions about how we handle your data, see our Privacy page.