Enterprise-Grade Security For Every Plan
Schedly is built on the principle that security is not a premium feature. Every account — free or paid — runs on the same enterprise-grade infrastructure with the same security controls.
Independent verification, every year
We don't self-certify. Our security controls are verified by independent third-party auditors annually.
SOC 2 Type II
Annual third-party audit verifying security, availability, processing integrity, confidentiality, and privacy trust service criteria.
Our SOC 2 Type II report is conducted by an independent AICPA-accredited auditor and covers the full 12-month audit period. Report available to enterprise customers under NDA.
HIPAA Eligible
Business Associate Agreement (BAA) available on Pro plans. Signed and returned within 24 hours. Covers all PHI handling requirements.
Our HIPAA program covers administrative, technical, and physical safeguards. BAA available on Schedly Pro. Request via support portal.
GDPR Compliant
Full compliance with EU General Data Protection Regulation. Data Processing Addendum (DPA) available. EU data residency options available.
We have implemented all required GDPR safeguards including lawful basis documentation, data subject rights procedures, and breach notification protocols.
CCPA Compliant
California Consumer Privacy Act compliance with full data subject request handling and opt-out mechanisms implemented.
California residents can exercise all CCPA rights including data access, deletion, and opt-out of sale (we don't sell data). Submit requests to privacy@schedly.io.
ISO 27001
Information security management aligned with ISO/IEC 27001 framework covering risk assessment, security controls, and continuous improvement.
Our information security management program is structured around ISO 27001 controls. Formal certification audit currently in progress.
PCI DSS
Payment Card Industry Data Security Standard compliance for all payment data handling. Schedly uses Stripe for payment processing — fully PCI Level 1 certified.
We never store raw card data. All payment processing runs through Stripe, which maintains PCI DSS Level 1 compliance — the highest tier available.
TLS 1.3
All data in transit encrypted with TLS 1.3 — the strongest transport security standard, offering perfect forward secrecy and faster handshakes.
TLS 1.2 and below are disabled. All connections are encrypted end-to-end. Certificate transparency logs are monitored continuously.
AES-256 Encryption
All data at rest encrypted with AES-256 — bank-grade encryption. Encryption keys managed via AWS KMS with automatic annual rotation.
Database encryption, file storage encryption, and backup encryption all use AES-256. Key rotation happens automatically with no service interruption.
Penetration Testing
Annual third-party penetration testing by independent security firms. Critical findings remediated within 72 hours. Results reviewed by security leadership.
Our pen tests cover web application, API, mobile, and infrastructure layers. Test reports available to enterprise customers under security NDA.
HIPAA-Eligible with BAA Included in Pro
Healthcare providers — therapists, physicians, psychologists, counselors, dentists — require scheduling software that handles Protected Health Information (PHI) correctly. Schedly Pro includes everything required for HIPAA-eligible scheduling.
What PHI does Schedly handle?
Schedly handles names, contact information, appointment times, and intake form responses that may contain health-related information. All of this is treated as PHI under your BAA.
Is the BAA included with Pro or does it cost extra?
The BAA is available on Schedly Pro. Contact the support team for current BAA pricing. No enterprise plan upgrade is required for HIPAA eligibility.
Can I use Schedly's intake forms for clinical intake?
Yes. Many healthcare providers use Schedly intake forms to collect health history, consent forms, and insurance information before appointments.
Does Schedly's confirmation email include PHI?
Confirmation emails include appointment details (time, duration, provider). For practices requiring additional PHI safeguards in communications, consult your HIPAA compliance officer on the appropriate configuration.
What's the BAA request process?
Submit a BAA request through the Schedly support portal. Most BAAs are signed and returned within 24 hours. The BAA is a standard HIPAA Business Associate Agreement — feel free to have your compliance attorney review.
Built on the same infrastructure as the world's largest enterprises
AWS, Cloudflare, and continuous monitoring — the full enterprise security stack.
Primary Cloud Infrastructure
DDoS & WAF ProtectionAWS Multi-Region
Schedly runs on Amazon Web Services across multiple availability zones. No single point of failure. Automatic failover maintains service availability if any zone experiences issues. AWS holds 143 security, compliance, and certification programs.
Cloudflare DDoS & WAF
All traffic passes through Cloudflare's global network — providing enterprise-grade DDoS protection (mitigates attacks up to 193 Tbps), Web Application Firewall with 184,000+ known attack signatures blocked, and bot protection.
Real-Time Monitoring 24/7
Security event monitoring runs 24/7/365. Anomalous access patterns, unexpected privilege escalations, unusual data access volumes, and geographic anomalies trigger immediate automated alerts and manual investigation.
Automated Backups
Full database backups every 6 hours. Point-in-time recovery available for 30 days. Backup integrity verified automatically with restoration tests run monthly. Backups stored in separate AWS region from primary data.
99.97% Historical Uptime
Our 99.9% SLA guarantees maximum 8.7 hours downtime per year. Our trailing 12-month actual uptime of 99.97% reflects our investment in redundant infrastructure. Status page available at status.schedly.io.
Vulnerability Management
Automated dependency scanning runs on every code deployment. CVE database monitoring triggers alerts for newly discovered vulnerabilities in our stack. Critical patches deployed within 24 hours, high severity within 72 hours.
99.9% Uptime SLA — Guaranteed
Our SLA is 99.9%. Our actual trailing 12-month performance is 99.97%.
You control who sees what
Granular access controls ensure every team member has exactly the access they need — nothing more.
Multi-Factor Authentication (MFA)
MFA available for all accounts. Administrators on team plans can enforce MFA organization-wide. Supports TOTP authenticator apps and SMS verification.
Role-Based Access Control (RBAC)
Granular permissions on team plans: Admin, Manager, and Member roles. Configure exactly what each team member can view, edit, export, or delete.
SAML 2.0 Single Sign-On (SSO)
Enterprise SSO integration with Okta, Azure AD, Google Workspace, OneLogin, and any SAML 2.0 compatible identity provider.
Session Security
Automatic session expiry after configurable inactivity period. Admins can remotely invalidate all active sessions across devices. Session tokens rotated on privilege changes.
API Key Management
Rotating API keys with configurable scope and expiry. All API requests logged with full audit trail including IP, user agent, and request details. Rate limiting enforced.
Login Anomaly Detection
Machine learning detection of unusual login patterns: new devices, new geographies, rapid location changes, credential stuffing attempts. Triggers step-up verification automatically.
Audit Logging
Complete audit log of all administrative actions, data access, and configuration changes. Logs are immutable and retained for 90 days (1 year on Enterprise). Exportable for SIEM integration.
IP Allowlisting
Enterprise plans can restrict access to approved IP ranges. Configure per-user or organization-wide IP allowlists. Immediate lockout for access from unapproved IPs.
Data Loss Prevention
Bulk data export operations require admin approval. Rate limiting on data export APIs. Unusual download volumes trigger security alerts and may require verification.
How we respond when something goes wrong
Our incident response process is documented, tested, and transparent. We've never had a customer data breach — this is how we'd handle it if we did.
Detection
< 1 hourAutomated monitoring detects anomalies and triggers immediate alerts to the security team.
Assessment
1–4 hoursSecurity team evaluates scope, severity, and potential customer impact. Incident commander assigned.
Containment
4–24 hoursAffected systems isolated. Threat vector blocked. Evidence preserved for forensic investigation.
Customer Notification
< 72 hoursAffected customers notified within 72 hours per GDPR requirements. Communication includes scope, impact, and remediation steps.
Remediation
24–72 hoursRoot cause addressed. System hardened. Independent verification of remediation effectiveness.
Post-Incident Review
< 2 weeksFull post-mortem completed. Findings shared with leadership. Prevention measures implemented.
Security is everyone's responsibility
The strongest technical controls can be undermined by people. Our employee security program matches our technical standards.
Background Checks
All employees undergo criminal background checks before accessing any customer data systems.
Least Privilege Access
Access to production systems is limited to engineers who require it for their specific role. No standing access to customer data — all access is just-in-time and logged.
Security Training
All employees complete security awareness training quarterly. Engineering team receives specialized secure development training annually.
NDAs & Confidentiality
All employees sign NDAs covering customer data confidentiality. Data handling policies are reviewed and acknowledged annually.
Offboarding Protocol
Access revocation within 1 hour of employment termination. All credentials rotated after any departure from security-sensitive roles.
Incident Response Training
Security team conducts tabletop exercises quarterly. Full incident response playbooks cover breach scenarios, ransomware, and insider threat vectors.
We treat your data the way you treat your clients' data
Six commitments about how we handle your data — none of which require you to read a privacy policy to understand.
We don't sell your data — ever
Schedly never sells customer data, scheduling data, or client contact information to third parties, data brokers, or advertising networks. Full stop.
Minimum necessary data collection
We collect only the data required to provide the scheduling service. We don't build behavioral profiles on your clients beyond what's needed for scheduling functionality.
Your data is yours — full export anytime
Export your complete account data at any time from account settings. Your data is never held hostage — full export is available on all plans, free and paid.
Deletion on request, within 30 days
Request complete account deletion at any time. All data is permanently purged within 30 days with a written deletion confirmation. GDPR requests handled within 72 hours.
Transparent data processing
Our Privacy Policy and Data Processing Addendum describe exactly what data we collect, how we process it, the legal basis for each processing activity, and your rights.
Cookie-minimal design
Schedly uses only functional cookies required for authentication and session management. No advertising cookies, no cross-site tracking, no fingerprinting, no data broker partnerships.
Common security questions
Answered directly, without marketing language.
Have a security question we haven't answered?
Our security team responds to all inquiries within one business day. For urgent matters, mark your email URGENT.
Stop Losing Bookings to
Scheduling Friction.
Schedly puts your calendar to work around the clock. Every lead, every client, and every meeting lands exactly where it should, automatically.