Security

Built for calendars
that matter.

AI agents have real write access to real calendars. We treat that access accordingly. Here is how Openavail protects your data and your organization's schedule.

Architecture

No persistent calendar data

Openavail does not store your calendar events. Availability checks are streamed from the provider at arbitration time and discarded. Only arbitration outcomes (the audit log) are persisted.

Refresh tokens encrypted at rest

Google OAuth refresh tokens are encrypted with AES-256-GCM before storage. The encryption key is rotated quarterly. Governance plan customers can bring their own key (BYOK).

Short-lived session cookies

Dashboard sessions use HttpOnly, SameSite=Lax cookies with a 24-hour TTL. No JWTs stored in localStorage. Sign-out immediately invalidates the server-side session.

Agent API key hashing

API key material is shown exactly once at mint time. We store only an Argon2id-derived hash. Key compromise is limited to the specific agent and permission scope it was issued for.

Agent API keys

Least-privilege access for every agent.

Each agent is registered with an explicit permission scope. API keys are issued per agent and can be revoked individually without touching other agents or sessions. Every key usage is recorded in the audit log with the key's reference ID.

ScopePer-agent, declared at registration time.

Formatak_ prefix · Argon2id-hashed storage · shown once.

RotationMint a new key, revoke the old one — no downtime required.

AuditEvery request carries the key reference ID in the audit row.

ExpiryKeys do not expire automatically. Manual revocation is instant.

Network and transport

✓All traffic over TLS 1.3. TLS 1.0 and 1.1 are rejected.

✓HSTS with a one-year max-age and includeSubDomains.

✓Strict CSP headers on the dashboard.

✓API endpoints protected by rate limiting and HMAC-verified webhook payloads.

Compliance

Where we are and where we're going.

SOC 2 Type IIIn progress

Audit period begins Q3 2026. Report expected Q1 2027.

ISO 27001Planned

Scoped alongside SOC 2. Targeting certification in 2027.

GDPRCompliant

Data processing agreement available on request for Team and Governance plans.

BYOK encryptionGovernance plan

Bring your own key for refresh-token and audit-log encryption.

Responsible disclosure

If you discover a security vulnerability in Openavail, please email [email protected]. We will acknowledge within 48 hours and aim to resolve critical issues within 14 days. We request that you do not disclose publicly until we have had the opportunity to remediate.