Security & data handling

Focused permissions. Short retention. Clear boundaries.

BookableCheck limits write access to confirmed CRM meeting-owner reassignment, with portal isolation and minimal storage built into the service architecture.

W

Narrow meeting write access

BookableCheck can update only the HubSpot CRM meeting owner in its automated remediation flow. Scheduling pages and external calendar invitations are never mutated.

Portal isolation

Operational records and queries are keyed by HubSpot portal ID, with explicit tests against cross-tenant access.

Encrypted credentials

OAuth credentials are encrypted with authenticated encryption, portal-bound context, random nonces, and versioned keys.

Signed requests

HubSpot, Stripe, and SendGrid signatures are validated. OAuth state is one-time, expiring, and protected against replay.

90

Limited retention

Resolved findings and scan history are removed after 90 days. Uninstall removes active operational data within 24 hours.

No tracking scripts

This public website uses no analytics, advertising pixels, or cookies. The application logs are designed to exclude sensitive payloads.

Access model

The initial OAuth grant requests only owner and meeting-link read access. Pro meeting automation uses a separate same-app authorization for crm.objects.contacts.read and crm.objects.contacts.write because HubSpot's official Meetings API specification maps meeting search and update to those scopes. BookableCheck never calls a Contacts endpoint or retrieves contact records. It reads only allowlisted meeting fields and writes only hubspot_owner_id after a managing admin confirms the replacement and exact records.

Detailed in-app endpoints require the exact HubSpot integration-management permission from a signed request context. Users without it receive only an aggregate summary.

Data minimization

  • Free scans retain counts, status, and timestamp—not names or scheduling-page details.
  • Pro stores only the owner, page, finding, replacement, and workflow fields needed for remediation.
  • Future-meeting data is limited to ID, owner, times, outcome, and a HubSpot link.
  • Meeting titles, attendee details, descriptions, notes, locations, and contact associations are discarded and must not be logged.
  • Alert emails contain portal-level counts and an app link, not identifying finding data.

Infrastructure and subprocessors

The planned production service uses Cloudflare Workers, D1, and Queues for application hosting and data processing; HubSpot for authorization and source records; Stripe for subscription billing; and SendGrid for transactional alerts. See the Privacy Notice for their roles.

Deletion and recovery history

Confirmed uninstall disables scheduled work immediately and removes operational records from active systems within 24 hours. Cloudflare D1 Time Travel may hold recoverable encrypted database states for up to 30 days on Workers Paid. Minimal Stripe-linked billing records follow a separate accounting and subscription retention policy.

Report a vulnerability

Email support@bookablecheck.com with “Security” in the subject. Include reproduction steps and impact, but do not include real OAuth tokens, customer data, or destructive proof-of-concept activity. A formal security contact and response SLA will be finalized before Marketplace submission.