Built for calendars
that matter.
AI agents have real write access to real calendars. We treat that access accordingly. Here is how Openavail protects your data and your organization's schedule.
Minimal calendar storage
Availability checks are streamed from the provider at arbitration time. Openavail stores the booking metadata and audit records needed to explain decisions and detect drift.
Refresh tokens encrypted at rest
Google OAuth refresh tokens are encrypted with AES-256-GCM before storage. Each token uses a unique encryption key (DEK), which is itself encrypted by AWS KMS, so raw key material never touches the database.
Short-lived session cookies
Dashboard sessions use HttpOnly, Secure, SameSite=None cookies with a 30-day TTL. No session JWTs are stored in localStorage; localStorage is limited to non-sensitive dashboard hints.
Agent API key hashing
API key material is shown exactly once at creation time. We store only an Argon2id-derived hash. Key compromise is limited to the specific agent and permission scope it was issued for.
Least-privilege access for every agent.
Each agent is registered with an explicit permission scope. API keys are issued per agent and can be revoked individually without touching other agents or sessions. Every key usage is recorded in the audit log with the key's reference ID.
Where we are and where we're going.
Scoped for after the v1 launch. No audit period scheduled yet.
Scoped alongside SOC 2 after the v1 launch.
Designed for GDPR-aligned use. The DPA and subprocessor list will be finalized before paid business use.
If you discover a security vulnerability in Openavail, please email security@openavail.com. We will acknowledge within 48 hours and aim to resolve critical issues within 14 days. We request that you do not disclose publicly until we have had the opportunity to remediate.