Security

Built for calendars
that matter.

AI agents have real write access to real calendars. We treat that access accordingly. Here is how Openavail protects your data and your organization's schedule.

Architecture

Minimal calendar storage

Availability checks are streamed from the provider at arbitration time. Openavail stores the booking metadata and audit records needed to explain decisions and detect drift.

Refresh tokens encrypted at rest

Google OAuth refresh tokens are encrypted with AES-256-GCM before storage. Each token uses a unique encryption key (DEK), which is itself encrypted by AWS KMS, so raw key material never touches the database.

Short-lived session cookies

Dashboard sessions use HttpOnly, Secure, SameSite=None cookies with a 30-day TTL. No session JWTs are stored in localStorage; localStorage is limited to non-sensitive dashboard hints.

Agent API key hashing

API key material is shown exactly once at creation time. We store only an Argon2id-derived hash. Key compromise is limited to the specific agent and permission scope it was issued for.

Agent API keys

Least-privilege access for every agent.

Each agent is registered with an explicit permission scope. API keys are issued per agent and can be revoked individually without touching other agents or sessions. Every key usage is recorded in the audit log with the key's reference ID.

ScopePer-agent, declared at registration time.
Formatak_ prefix, Argon2id-hashed storage, shown once.
RotationMint a new key, revoke the old one. No downtime required.
AuditEvery request carries the key reference ID in the audit row.
ExpiryKeys do not expire automatically. Manual revocation is instant.
Network and transport
All traffic over TLS 1.3. TLS 1.0 and 1.1 are rejected.
HSTS with a one-year max-age and includeSubDomains.
Strict CSP headers on the dashboard.
API endpoints are rate-limited. Requests over quota receive a 429 response.
Compliance

Where we are and where we're going.

SOC 2 Type IIPlanned

Scoped for after the v1 launch. No audit period scheduled yet.

ISO 27001Planned

Scoped alongside SOC 2 after the v1 launch.

GDPRDesigned for

Designed for GDPR-aligned use. The DPA and subprocessor list will be finalized before paid business use.

Responsible disclosure

If you discover a security vulnerability in Openavail, please email security@openavail.com. We will acknowledge within 48 hours and aim to resolve critical issues within 14 days. We request that you do not disclose publicly until we have had the opportunity to remediate.