Last updated: June 2025
All passwords hashed with bcrypt. We never store or log plaintext passwords.
Sessions expire after 15 minutes of inactivity. Sessions are bound to the originating IP and user agent.
Auto-ban after 20 failed login attempts from the same IP (1 hour cooldown). Sign-in attempts are rate-limited to 10 per minute per IP.
Optional TOTP-based 2FA available for all accounts. Recommended for Owner and Manager roles.
Each practice is a separate tenant. All database queries are automatically scoped to the current tenant via acts_as_tenant. Cross-tenant access returns a 404 — not a 403 — to prevent enumeration attacks. There is no way for one practice to access another practice's data.
Credit card data is handled entirely by Stripe. We never see, store, or transmit card numbers. We store only a Stripe token and the last 4 digits for display. Card input uses Stripe Elements — a secure iframe where card data goes directly to Stripe's PCI-DSS Level 1 certified servers without touching ours.
If you discover a security vulnerability, please report it to security@schedulite.com. We take all reports seriously and will respond within 48 hours. We will not pursue legal action against researchers who report vulnerabilities responsibly.