Security

Last updated: 2026-05-23

Heldly is built so that ISO27001 / SOC2-certified customers can adopt us without making their auditors uncomfortable. We are not certified ourselves at launch, but we provide the control set that vendor-management questionnaires ask for. If a control listed below is missing or unclear, write to security@heldly.io.

Architecture: Heldly owns the calendar integration end-to-end

You grant Heldly Google Calendar access once, at sign-in. Heldly uses that grant to read your availability when you ask Claude for times, place tentative holds across every host's calendar at propose time, confirm the chosen slot the instant your invitee picks, and delete the unpicked siblings in the same request — so you never open a scheduling UI and never have to clean up holds yourself.

Tokens are scoped to the minimum required (Googlecalendar.events +calendar.readonly+ sign-in identity), stored server-side under Supabase's at-rest encryption, and never returned to clients. You can revoke Heldly's Google access at any time from your Google account permissions page; the next API call surfaces the disconnection cleanly and Heldly stops touching your calendar until you reconnect.

Heldly only reads and writes calendar events related to meetings you initiate through the service. Free/busy is read within the window you specify; no event content from unrelated meetings is stored or transmitted off-platform.

Data residency: EU only

Heldly runs on Vercel and Supabase, both pinned to EU regions. The application server runs on Vercel's Stockholm (`arn1`) region. The Postgres database, materialized views, and object storage live in Supabase's EU-West (`eu-west-1`, Dublin, Ireland) region. No customer data leaves the EU at rest. The only US round-trips are outbound: Stripe for billing and Resend for email delivery — both required for the product to function and both subprocessors are listed on our subprocessor page.

Encryption

In transit. TLS 1.2+ on every public endpoint. HSTS preloaded.
At rest. AES-256 for Postgres + object storage (Supabase default).
Secrets. Application secrets live in Vercel env (encrypted), never in the database. OAuth tokens issued by our MCP server are sha256-hashed at rest; we never store plaintext bearer tokens.

Authentication

Web sessions. Google OAuth (sign-in scope only — no calendar scope). Session JWT is HS256, 30-day rolling, HttpOnly + Secure + SameSite=Lax cookie.
Business SSO. SAML and OIDC via WorkOS, self-serve setup via the Admin Portal. SCIM (Directory Sync) provisions seats and revokes them within minutes of an offboarding event.
MCP connector. OAuth 2.1 with Dynamic Client Registration (RFC 7591) and PKCE-S256 mandatory. Public clients only — no client secrets. Single scope: mcp. Tokens revocable via RFC 7009.

Audit log

Every state-mutating action — meeting proposed / cancelled, member invited / revoked, subscription change, ops action, audit export — writes to an append-only ledger. Workspace admins can browse the ledger at /settings/audit and export filtered windows to CSV. Default retention is 400 days, configurable per workspace up to 7 years on the Business plan. Invitee email addresses are redacted at write (s***@acme.com) so the log itself isn't a PII liability.

Breach commitment

We notify affected customers within 72 hours of confirming a personal-data breach, in line with GDPR Article 33, and provide:

nature of the breach,
categories and approximate volumes of data affected,
likely consequences,
measures taken or proposed to address it.

Reports go to security@heldly.io and reach the founders directly.

Pen testing & vulnerability response

We commit to a third-party penetration test within six months of GA, and annually thereafter. The most recent attestation letter is available to Team customers under NDA.

Reports of vulnerabilities can be sent to security@heldly.io. See /.well-known/security.txt. We acknowledge reports within 1 business day and aim to resolve high-severity issues within 30 days.

Backups & continuity

Supabase point-in-time recovery is enabled with a 7-day window. We run a quarterly restore drill against a non-production project to verify that PITR meets RPO/RTO targets (RPO ≤ 5 min, RTO ≤ 4 h).

Engineering practices

Branch protection on main; required code review.
CI runs typecheck + build on every PR before merge.
Dependabot for dependency vulnerability tracking.
All production deploys go through Vercel; rollback is one click.
Production access is limited to the founders and gated by the same SSO + 2FA they use for the rest of their stack.

Compliance posture

GDPR. EU residency; DPA available without a sales call (/security/dpa); data-subject access via your workspace admin (or directly via privacy@heldly.io).
ISO27001-friendly. Control set above maps to Annex A controls A.5–A.18. We are not certified at launch.
SOC2-friendly. Same control set covers the SOC2 Common Criteria (CC1–CC9). We are not attested at launch.

Get in touch

Security questions: security@heldly.io
Vulnerability reports: /.well-known/security.txt
DPA: /security/dpa
Subprocessors: /security/subprocessors