Slotsy
147 / 250 claimed Claim a seat

Security · the posture, in plain English

Built so a $300 booking
is never the weakest link.

Slotsy is a thin, opinionated booking surface. The less data we hold, the smaller the blast radius. The architecture decisions below are deliberate, public, and revisited every quarter.

DATA RESIDENCY

European Union, by default.

All bookings, OAuth tokens, and member data live on Cloudflare D1 with the weur regional hint. We don't replicate primary data outside the EU. EU residency is a default, not a paid-tier feature.

ENCRYPTION

At rest, in transit, end to end.

TLS 1.2+ on every connection. Cloudflare D1 and R2 are encrypted at rest. OAuth tokens are encrypted with AES-256-GCM using a per-tenant key. Passwords hashed with bcrypt (cost 12), never reversible.

GDPR · DSAR

Bonterms-adjacent DPA on file.

Standard sub-processor list, 72-hour breach notification, Standard Contractual Clauses for any transfer outside the EU. DSAR endpoint at /dsar answers within 30 days. Full DPA at /legal/dpa.

BYO STRIPE

We're not in the payment path.

Member payments use your Stripe restricted key. Slotsy never sees a card number, never holds funds, never proxies a charge. If we're breached, your members' payment data is unaffected because we don't have it.

NO TRACKING

No Meta, no Google Analytics.

Plausible Analytics is the only analytics tool — server-side, cookieless, GDPR-exempt, no fingerprinting. We don't sell behavioural data. We don't sell anything you don't pay for directly.

DISCLOSURE

Responsible-disclosure policy.

Email [email protected] · PGP key available on request · 90-day disclosure window · public credit for the reporter unless they prefer anonymity. No bug bounty cash at v1 (solo budget) — but real human response and a public hall of fame on /security#credits.

The audit-log table

Every security decision, dated.

2026-05-12
Bonterms DPA pulled, adapted, queued for solicitor review.
2026-05-02
Architecture decision: BYO Stripe restricted key, never proxy charges.
2026-05-02
OAuth tokens to be encrypted with AES-256-GCM per-tenant key.
2026-05-02
D1 regional hint set to weur · EU residency default.
2026-05-02
No Meta Pixel · no Google Analytics · Plausible only.
v1.1
Annual security review including OWASP Top-10 coverage check.
v2
Optional 2FA · pass-keys · per-tenant encryption-key rotation.

Found something?

[email protected]

a human reads every disclosure · 90-day timeline · public credit on request