πŸ›‘οΈ Trust by Design

Security

Security and trust are built into our scheduling platform through careful controls and operational best practices.

PinMyCal follows industry best practices: 

βœ… OAuth 2.0 authentication

βœ… Secure token storage

βœ… HTTPS encryption

βœ… Role-based access control

βœ… Minimal data collection

βœ… Regular security testing

Data Protection

Encryption in transit, secure credential handling, and regular access reviews.

Infrastructure Controls

Redundancy, monitoring, and incident response workflows across production services.

Responsible Disclosure

Report security concerns at support@pinmycal.com for immediate triage.

πŸ§ͺ Security Check: AuthPass
Verification Rule 
Reject request if:
- missing Bearer token
- token expired
- token scope mismatch
πŸ” Security Check: WebhookSigned
Signature Validation 
X-PMC-Signature: sha256=7e9...c1
Verify HMAC(payload, webhookSecret)
Reject if timestamp drift > 5 min
🚫 Failed Security Response401
Response Body 
{
  "status": "error",
  "code": "UNAUTHORIZED",
  "message": "Token invalid or revoked"
}