Last update: 19 november 2025.
TL;DR
- All data is encrypted in transit.
- All data is hosted in the EU on EU-owned servers.
- User passwords are hashed and salted.
- Our software is updated multiple times per week.
- There is a public changelog.
- Regular vulnerability scans are conducted.
- All data is backed up and encrypted on remote backups.
- Data access is firewalled and user-restricted.
- Our code is transparent and you can audit our code base.
- Performance is monitored and uptime is disclosed.
- Data can be exported via CSV or stats API.
- We don’t collect nor store any personal or sensitive data.
- We don’t store debit/credit card details.
- We don’t store any data outside the EU, only banking information is stored by our service provider Paddle.
- We don’t outsource our software development.
- We don’t outsource our infrastructure management.
- We don’t sell, share or in any other way monetize your data.
- We don’t use LLMs.
Here’s a more detailed overview of the technical and organizational security measures we use to secure Brinjel and protect your data.
Organizational Security
Here are some of the best practices we’ve adopted:
- Access to servers, source code, and third-party tools is limited to one person.
- We use strong, randomly-generated passwords stored in a password manager.
- Employees and contractors are given the lowest level of access that allows them to get their work done. This never includes access to production systems or data.
- We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are aggressive about applying patches and deploying quickly.
Authentication
When users sign up for SavvyCal, we create a user record in our database that includes:
- farm name
- email address
- hashed password (using
argon2).
When a user signs in, we generate an encrypted session token stored in browser cookies.
Encryption
All application pages are encrypted with TLS 1.3 via certificates managed by Let’s Encrypt.
Infrastructure
Our application is hosted with Hetzner, mainly in Germany. Our backups is hosted with Scaleway.
Learn more about their security practices:
Logging and monitoring
Application logs and performance measurements are stored by us and are therefore not transmitted to any third parties. Communications between our servers are done via a Wireguard VPN tunnel.
Software Development Practices
We try to respond as quickly as possible to requests for improvements to Brinjel, but we believe that this should not be at the expense of software quality and data security. We rigorously maintain an automated suite of checks and tests that must be succeed before any deployment.
Report a security vulnerability
If you’ve found a security vulnerability with the Brinjel codebase, you can disclose it responsibly by sending a summary to us. We’ll review the potential threat. We appreciate your patience and understanding that some reports will take time to fix and the process may involve a review of our codebase for similar problems. It’s crucial we can trust you not to disclose the vulnerability to anyone until a few days after we release the fix.
More details can be found in our vulnerability disclosure program.
We’re incredibly thankful for people who take the time to share their findings with us. Whether it’s a tiny bug that you’ve found or a security vulnerability, all reports help us to continuously improve Brinjel for everyone. Thank you!