Technical Security Measures
All of the following are implemented in the application code and verified against the codebase.
Token & Credential Security
AES-256-GCM Encryption: All OAuth tokens (Google, Microsoft) and CalDAV credentials (Apple) are encrypted using AES-256-GCM before being stored in the database. Each is encrypted with a unique random IV. This applies equally to all three providers.
Encrypted at rest: No credentials are stored as plain text. The encryption key is held separately as a server environment variable.
Password Security
Argon2 Hashing: User passwords are hashed using Argon2 with explicit memory cost (19,456 KB), time cost, and parallelism parameters. Plain-text passwords are never stored or logged.
Transport Security
HTTPS / TLS: All data is encrypted in transit. This includes connections to Google, Microsoft, and Apple’s CalDAV server (caldav.icloud.com).
Secure session cookies: Session cookies use HttpOnly, Secure (production), and SameSite=lax flags. Sessions are stored server-side in Redis.
Access Controls & Attack Prevention
CSRF Protection: OAuth flows use a cryptographically random 32-byte state parameter verified on callback before any token exchange.
Rate Limiting — General API: 100 requests per 15 minutes per IP across all API endpoints.
Rate Limiting — Auth Endpoints: 10 attempts per 15 minutes per IP on login, registration, and password reset. Only failed attempts count (skipSuccessfulRequests: true).
Redis-backed sessions: Server-side sessions give full control to invalidate on logout immediately.
HTTP Security Headers: Helmet.js sets CSP, X-Frame-Options (DENY), X-Content-Type-Options, HSTS (2-year max-age with preload), Referrer-Policy, and Permissions-Policy. Applied as explicit fallbacks to survive Render/Cloudflare proxies.
Audit Logging
Audit trail: Logins, OAuth connections, Apple CalDAV connections, calendar disconnections, and data export requests are all written to an audit_log table with IP address and metadata.
Payment Security
Stripe (PCI DSS Level 1): Payment card data is handled entirely by Stripe. Multical never sees or stores card numbers. Stripe webhooks are verified using signature validation before processing.
GDPR Compliance Features
Explicit consent at signup: Terms of Service and Privacy Policy acceptance is required. Timestamps stored in database.
Data export: Full JSON export of personal data available at any time from account settings (GDPR Article 20).
Account deletion: Cascade deletion of all associated data on account deletion. Session destroyed immediately.