Security & Data Protection

We take security seriously because your project data is sensitive. You're trusting us with team schedules, client projects, and capacity planning—we don't take that lightly.

Here's exactly how we protect your information, in plain English.

• →Hosted on industry-leading platforms: We use Vercel for frontend hosting and Render/Supabase for backend services—all SOC 2 Type II certified providers
• →Automatic updates: Security patches are applied automatically to keep infrastructure secure
• →99.9% uptime guarantee: Our infrastructure providers maintain enterprise-grade availability

• →In transit: All data is encrypted with TLS 1.3 (the same security banks use). You'll see the lock icon in your browser
• →At rest: Your database is encrypted with AES-256 encryption, so even if someone physically stole the servers (they won't), your data is unreadable
• →Passwords: We never store your actual password. We use bcrypt hashing with salt, which means even we can't see your password

• →Secure session management: We use HTTP-only cookies with CSRF protection to prevent common web attacks
• →Role-based access: Team members only see what they need to. Workers see their tasks, PMs see their projects, admins control company settings
• →Automatic logout: Sessions expire after inactivity to protect you if you forget to log out
• →Coming soon: Two-factor authentication (2FA) and Single Sign-On (SSO) for Enterprise customers

• →You own your data. Period. We never sell it, share it, or use it for anything except providing you the service
• →Data isolation: Your company's data is completely separate from other customers. No one else can access it
• →Export anytime: You can export all your data at any time. No lock-in
• →Data deletion: When you close your account, we permanently delete all your data within 30 days (unless you request immediate deletion)

• →AI scheduling runs on our servers: Your scheduling data never leaves our secure environment
• →Third-party AI (Anthropic Claude): We use Claude for AI check-ins and insights. Only necessary project context is sent, and Anthropic doesn't train on your data per our agreement
• →Payment processing: We use Stripe for payments. We never see or store your credit card details—Stripe handles that securely
• →Email delivery: We use Resend for transactional emails (password resets, notifications). They're GDPR compliant

• →GDPR ready: We provide data processing agreements for EU customers and honor all GDPR rights (access, deletion, portability)
• →CCPA compliant: California customers have full control over their data
• →SOC 2 Type II (in progress): We're working on formal certification for enterprise customers

Vulnerability Management

Security isn't a one-time thing—it's ongoing. Here's how we stay ahead:

• →Regular security audits and dependency updates
• →Automated vulnerability scanning in our CI/CD pipeline
• →Monitoring and logging to detect suspicious activity
• →Responsible disclosure program (email security@bravoscheduler.com to report issues)

Questions About Security?

We're happy to answer any security questions you have. Seriously—we'd rather you ask than worry silently.

Email us at security@bravoscheduler.com or see our full Privacy Policy.