Home Legal

Security Overview

Effective May 29, 2026 · Last reviewed May 29, 2026

Security is one of the things we take most seriously, because the cost of getting it wrong is your business. Here’s the plain-English version of what we do.

Encryption

  • In transit: TLS 1.2 or higher for all Service traffic, including the booking pages your clients see. We do not serve any plaintext HTTP except for HTTP-to-HTTPS redirects.
  • At rest: the database and its backups are encrypted at the storage layer. Sensitive columns — 2FA secrets, OAuth tokens for Stripe/Square/calendar providers — are encrypted at the application layer with separate keys, so an at-rest compromise without the application keys yields ciphertext only.

How sign-in works

ChairSlay is passwordless. You sign in with a magic link or a six-digit code emailed to you. There’s no password to leak, reuse, or have phished.

  • Magic-link tokens are short-lived (15 minutes) and single-use.
  • One-time codes are short-lived (10 minutes), throttled, and locked after repeated failed attempts.
  • 2FA (TOTP) is available; we recommend enabling it.

What ChairSlay staff can access

  • Production data: a small number of senior engineers, only when needed to operate the Service or respond to a support request. Every production-data access is logged.
  • Your billing data: only the billing lead and audit reviewer.
  • Your client data: not viewed by ChairSlay staff in the normal course. If you ask us to look at something specific (a stuck booking, an export problem), we’ll touch only what’s needed to resolve it.

Hosting

ChairSlay runs on Hetzner Cloud in their Ashburn, Virginia datacenter (US-East). Backups are encrypted and held for 35 days.

Payments

Card data never touches ChairSlay infrastructure. Cards are entered directly into Stripe or Square hosted form elements (Payment Element or Web SDK) and tokenized client-side. We store only the token, the last 4 digits, and the card brand.

ChairSlay’s PCI scope is reduced to SAQ-A as a result. We do not handle or store cardholder data.

Calendar sync

Two-way calendar sync with Google, Microsoft, and Apple defaults to busy-only mode: we read start/end times of your external events to block ChairSlay booking slots, but we do not pull event titles, attendees, locations, or descriptions. You can opt in to full sync if you want title overlays in your ChairSlay calendar view; the default is privacy-respecting.

Incident response

If we determine a security breach has materially affected your data:

  • We notify you within 72 hours for GDPR-covered data and within whatever timeframe each US state law requires for the rest.
  • We tell you what happened, what data was affected, what we’ve done, and what you should do.
  • We publish a public post-mortem if the incident affected users beyond a single account.

Your part

Security is a shared responsibility. We give you the tools; the choices are still yours:

  • Enable 2FA.
  • Use a strong, unique email password (since email is the second factor for our magic links).
  • Keep your phone updated.
  • Log out of shared devices.

Reporting vulnerabilities

If you’ve found a vulnerability in ChairSlay: email security@chairslay.com. We respond within 2 business days, will not pursue legal action against good-faith research, and will credit you on our security acknowledgments page if you’d like.

Contact

security@chairslay.com · for incidents requiring urgent attention, include “URGENT” in the subject.

← Back to ChairSlay