Security & Compliance

Production-grade baseline security and industry-aligned capabilities. We provide the controls and design—audit trail, no PHI in logs, encryption, RBAC—so you can meet HIPAA, FERPA, and privacy requirements. You remain responsible for your obligations, BAAs with vendors, and legal compliance.

This page describes product capabilities and is not legal advice. Validate your use case with your compliance or legal team.

Security capabilities

What we build and operate so your scheduling data and participant information stay protected and auditable.

  • No PHI or PII in logs

    Audit log stores only opaque resource IDs, action types, and non-identifying metadata—no names, emails, phone numbers, or other sensitive data. Application logging avoids PHI; production uses real Twilio/email without logging message content. Reduces exposure and supports compliance across industries.

  • Audit trail

    Every mutation is recorded with opaque resource IDs and action types. Supports accountability, investigations, and compliance reviews. No PHI in the audit trail—only references that your team can map internally when needed.

  • TLS (HTTPS)

    Traffic must be encrypted in transit. TLS is enforced at the reverse proxy or load balancer in production (e.g. AWS ALB, nginx, Cloudflare). We do not serve the API or admin app over plain HTTP in production; redirect HTTP to HTTPS at the edge.

  • Encryption at rest

    Data at rest is protected by your MongoDB provider (e.g. MongoDB Atlas, AWS DocumentDB). Enable encryption at rest in the provider console. Secrets (JWT, Stripe, API keys) are stored in a secrets manager and injected at runtime—never committed or logged.

  • Role-based access control (RBAC)

    Roles (admin, super_admin, patient) support least-privilege access and access reviews. Team and subscription management align with your plan (Starter: one user; Professional: multiple users with full team management).

  • Retention and deletion

    Define and document your retention policy for participant and appointment data. The product supports accountability and configurable retention; implement deletion or anonymization (scheduled jobs or admin tools) so you can comply with user requests and policy. Handle backups and audit logs according to the same policy.

Industry standards and how we support them

SlotWise Pro serves healthcare, events, education, and professional services. Each industry has its own regulations; the product provides capabilities to support compliance. You are responsible for aligning with your regulations and signing BAAs or DPAs with vendors as required.

HIPAA

Healthcare (US)

Clinics, hospitals, research studies, patient or participant scheduling.

When handling PHI: sign BAAs with Twilio (SMS/voice), Vapi (if used), email provider, and cloud host. Use encryption at rest, enforce TLS, rely on audit log (opaque IDs), and RBAC. Product provides no PHI in logs, audit trail, and access control; you and the operator complete the checklist.

FERPA considerations

Education (US)

Classes, advising, parent-teacher appointments, student data.

Minimal PII in logs, access control, and retention policies. Same product capabilities: audit log, RBAC, no sensitive data in application logs. You validate FERPA or equivalent with your compliance or legal team.

Data privacy, GDPR

Events & professional services

Conferences, workshops, consulting, salons, B2B appointments.

Consider data privacy (e.g. GDPR if processing EU data), consent for marketing/reminders, and retention/right-to-deletion. Audit log, RBAC, and absence of sensitive data in logs support these goals. You sign data-processing agreements with vendors as required.

Baseline security

General / multi-industry

Any use case requiring appointment or event scheduling with invites and reminders.

TLS, encryption at rest, audit trail, and configurable retention apply to all. Validate your use case with your compliance or legal team.

Operational checklist (when handling healthcare PHI)

For operators and customers handling protected health information, the following should be in place.

  • BAAs in place with all relevant services: Twilio (SMS/voice), Vapi (if used), email provider (SMTP/SendGrid), and cloud host (AWS/GCP/Azure)
  • TLS enforced at proxy/load balancer; no HTTP in production
  • MongoDB (or host) encryption at rest enabled in the provider console
  • NODE_ENV=production in production; no PHI in application or audit logs
  • Retention and deletion policy documented and implemented as needed (including backups and audit logs)

For non-healthcare industries, apply the same baseline (TLS, encryption, audit, retention) and follow your jurisdiction’s data-processing and vendor requirements.

Vendors and BAAs

SlotWise Pro integrates with third-party services for SMS, voice, email, and payments. When you or the operator handle PHI or other regulated data, sign Business Associate Agreements (or equivalent data-processing agreements) with:

  • Twilio – SMS and voice (IVR)
  • Email provider – SMTP or SendGrid (or equivalent)
  • Vapi – If using AI voice / IVR-Automation
  • Cloud host – AWS, GCP, Azure, or your hosting provider

See our documentation for environment variables and configuration. Customers are responsible for their own BAAs and vendor compliance.

Ready to get started?

Compliance-ready scheduling for US businesses. No credit card required for trial.

Start free trial