Kalenda

Security Statement

Version 1.0 · Effective 18 June 2026

This document is an implementation template and should be reviewed by qualified legal counsel before production use.

Version 1.0 | Effective: June 2026

Kalenda is built with security-by-default principles aligned with OWASP ASVS Level 2 practices for SaaS applications.

Technical controls

  • Encryption in transit: TLS for all connections
  • Encryption at rest: Database and integration token encryption
  • Authentication: Bcrypt password hashing, optional TOTP 2FA, secure JWT sessions
  • Session security: HttpOnly, Secure, SameSite cookies
  • Tenant isolation: Practitioners cannot access other tenants' data
  • Access control: Role-based permissions for admin, practitioner, and client roles
  • Audit logging: Immutable audit trail for sensitive operations
  • Rate limiting: Protection on auth, booking, checkout, and data request endpoints
  • Input validation: Zod schema validation on API endpoints
  • Secret handling: Environment-based secrets; no credentials in logs

Organisational measures

  • Least-privilege access for operations staff
  • Incident response procedures
  • Vendor security review for subprocessors
  • Regular dependency updates

Reporting vulnerabilities

Responsible disclosure: support@bizclinic.africa. Please do not test against production without authorisation.

Limitations

No system is 100% secure. Practitioners must also protect their account credentials and client devices.