Application Security Statement

Our Commitment to Security

Some of the world's largest (and smallest) companies trust us with their client appointment data. We take this responsibility seriously and are very proactive on security (cybersecurity). Schedapple uses the defense-in-depth approach to provide physical, logical, and data layers of security features and operational best practices.

As stated in our Privacy Policy, "To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online." This includes using encryption (HTTPS), system-user identifiers (logins, passwords), multiple user access levels, high-end physical server security, nightly encrypted backups, strong privacy policies (not sharing information with anyone unless you direct us to), timed log out, and strong internal policies.

Secure Network Connections

All communications with the schedapple.com website are sent over Transport Layer Security (TLS) connections, which protects communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure, and available only to intended recipients. Our application endpoints are TLS v1.1 and TLS v1.2 only, and our servers have 2048-bit SSL certificates as recommended by the National Institute of Standards and Technology (NIST). Schedapple.com scores an "A" rating on Qualys SSL Labs' server tests, validating that our servers are configured to only allow secure communications with browsers using the safest communication protocols.

Firewalls block unwanted inbound traffic (restricting access on ports) and unused network-facing services have been removed.

Authorized server administrator access is via SSH using cryptographic key authentication (key-pair) and a limited user account. Direct root logins over SSH are disallowed. Logging systems capture and archive all internal systems access including any failed authentication attempts so any unauthorized attempts to access the servers can be identified and monitored. Change control management best practices and processes are used.

Physical Security

All information systems and infrastructure are hosted in world-class data centers located in the United States. These data centers have multiple layers of security via a variety of technological and human measures. This includes physical security controls that you would expect in a data center (e.g. monitoring, visitor logs, entry requirements, locked cages) and technological security controls (e.g. strict IP address filtering rules to prevent server spoofing and man-in-the-middle attacks, and server virtualization).

Application Security & Data Protection

We also use many application security best practices to protect against attacks, blocking common web exploits such as SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and clickjacking.

We don't expose our application or database servers directly to the Internet. Everything goes through a firewall. Our application architecture uses separate servers for databases with access restricted to the web servers.

Whenever your data is in transit between you and us, everything is encrypted and sent using HTTPS.

Appointments and clients' data are not encrypted at rest since this data is active in our database (if it was encrypted you would not be able to actively access and read your calendars and data). Our backups of your data are encrypted. User data in our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on. Schedapple issues a browser cookie to record authentication information for the duration of a specific session. These cookies don't include the username and password.

Security Updates

The latest security patches are regularly applied to all operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities.

Security Scans & Evaluations

Schedapple is Payment Card Industry Data Security Standard (PCI DSS) compliant, and our compliance is regularly validated by an authorized independent Qualified Security Assessor. Through quarterly scans and evaluations (SAQ A-EP) we ensure that we adhere to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures, thus ensuring that our customers' data is being kept safely. We are not required to have PCI DSS vulnerability scanning as a SAQ A merchant, but we do this to ensure and enhance our security. Schedapple uses Stripe, a PCI compliant processer, to ensure credit card, ACH and process payment transactions data is stored securely on a PCI compliant network.

Working to Keep Your Data Safe

We promise to take all reasonable precautions to keep your data safe, but no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Schedapple learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures include providing email notices or posting a notice on our website if a breach occurs.

We can do our utmost to ensure the security of your data, but keeping your data secure is also dependant on you. You must ensure that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. Sharing account log-ins is a breach of our terms of service and can make your data unsecure. Log-ins you set up for staff that then leave your company should be deleted. Schedapple allows you to pull data from our system to use with other applications. This includes calendar syncing, exporting of calendar and client data, and using our application programming interface (API) for integration with other applications. You should ensure that you have sufficient security on your own systems, to keep access to your account and any client data you download to your own computer away from prying eyes. Please review our privacy policy for more info on how your data is stored and our terms of service.