← Back to mahakala.app

Trust & Security

Last updated: May 10, 2026

1. Calendar Permissions

mahakala.app requests specific calendar permissions to provide scheduling functionality. Here's exactly what we access and why:

Google Calendar

  • openid — Verify your identity when you sign in with Google
  • email — Your email address for account creation and notifications
  • profile — Your name and profile photo for your mahakala.app profile
  • https://www.googleapis.com/auth/calendar.readonly — Read your calendar to check free/busy availability (we do NOT read event titles, descriptions, or attendees)
  • https://www.googleapis.com/auth/calendar.events — Create, update, and delete calendar events when bookings are confirmed, rescheduled, or cancelled

Microsoft Outlook Calendar

  • User.Read — Basic profile information (name, email, photo)
  • Calendars.ReadWrite — Read availability and create booking events on your calendar
  • Calendars.Read — Read-only calendar access to check free/busy times
  • offline_access — Stay connected without requiring you to re-authenticate every time

iCloud Calendar

Uses the CalDAV protocol with read/write access to calendar events only. We sync free/busy status and create booking events. No access to other iCloud services.

Privacy Guarantee

We only read free/busy status from your calendar — never event titles, descriptions, attendees, or locations. Calendar events we create contain only the booking details you've configured.

2. What the AI Can and Cannot Do

When you connect an AI agent via MCP (Model Context Protocol), here are the capabilities and strict limitations:

What AI Can Do

  • ✓ Answer scheduling questions about your availability
  • ✓ Suggest available time slots based on your calendar
  • ✓ Create, reschedule, or cancel bookings on your behalf
  • ✓ Help guests find and book times through your booking page
  • ✓ Check upcoming appointments and booking details

What AI Cannot Do

  • ✗ Access your email inbox or send emails
  • ✗ Read calendar event titles, descriptions, or attendees
  • ✗ Make purchases or process payments
  • ✗ Access files, documents, or other apps
  • ✗ Contact people outside the booking flow
  • ✗ Modify account settings or billing information
  • ✗ Access anything outside scheduling context

3. Booking Approval Settings

You have full control over how bookings are confirmed:

Auto-Accept Bookings (Default)

Bookings are instantly confirmed and added to your calendar without manual review.

Require Manual Approval

Review and approve each booking request before it's confirmed. Ideal for high-value consultations or selective availability.

Screening Questions

Collect information from guests during booking. Flag bookings for review based on responses (e.g., "What's your budget?" or "How did you hear about us?").

Cancellation & Reschedule Policies

Set minimum notice periods for cancellations and reschedules per event type. Policies are displayed on your booking page.

4. Audit Log

Available on the Expert plan, the audit log tracks all actions in your account for security, compliance, and troubleshooting:

What's Logged

  • • Event type changes (title, duration, location, pricing)
  • • Booking actions (created, cancelled, rescheduled, approved, rejected)
  • • Team member changes (added, removed, role changes)
  • • Settings updates (availability, integrations, notification preferences)
  • • API key usage (creation, revocation, MCP actions)
  • • Calendar connection changes (connected, disconnected, re-authenticated)

Example Audit Log

TimestampActorActionResourceDetailsIP Address
2026-05-10 14:32:15 UTC[email protected]Event Type Updated30-Min ConsultationDuration changed from 30m to 45m203.0.113.42
2026-05-10 12:18:04 UTCAI Agent (MCP)Booking CreatedStrategy CallBooked for [email protected] on 2026-05-15198.51.100.22
2026-05-10 09:45:22 UTC[email protected]Team Member AddedSales TeamAdded [email protected] with Editor role203.0.113.42
2026-05-09 16:55:31 UTC[email protected]API Key CreatedMCP AgentCreated key mcp_*** with scheduling scope203.0.113.42
2026-05-09 11:20:18 UTC[email protected]Booking CancelledDiscovery CallCancelled booking for 2026-05-12192.0.2.156

Logs are retained for 12 months and can be exported as CSV from your dashboard.

5. Subprocessor List

We use trusted service providers to deliver mahakala.app. All subprocessors are SOC 2 certified or equivalent:

SubprocessorPurposeLocationCertification
RailwayApplication hostingUSSOC 2 Type II
NeonPostgreSQL databaseUSSOC 2 Type II
CloudflareCDN, DNS, DDoS protectionGlobalSOC 2 Type II, ISO 27001
GoogleOAuth, Calendar sync, AnalyticsUSSOC 2, ISO 27001
ResendTransactional emailUSSOC 2 Type II
SentryError monitoringUSSOC 2 Type II
Lemon SqueezyPayment processingEUPCI DSS

All data transfers are protected by standard contractual clauses and encryption in transit. See our Privacy Policy for details on international data transfers.

6. Data Deletion & Export

Account Holders

Delete your account from Settings → Account → Delete Account. This action:

  • Permanently removes all account data, bookings, event types, and settings
  • Disconnects calendar integrations and revokes API keys
  • Anonymizes historical booking records for compliance (guest data retained per privacy policy)
  • Cannot be undone — make sure to export your data first

Guests (GDPR Right to Erasure)

If you've booked a meeting but don't have an account, you can request deletion of your booking data:

  • Use the deletion link in your booking confirmation email
  • Or visit Guest Data Request and enter your email
  • Rate-limited to 5 requests per hour per IP address to prevent abuse

Data Export

Export all your data in machine-readable format (JSON) from Settings → Export Data. Includes:

  • Account information and profile settings
  • Event types and availability schedules
  • Booking history with guest details
  • Audit log (Expert plan only)

Data Retention

Retention periods are configurable per account. We run automated cleanup via data retention cron jobs. See our Privacy Policy for default retention periods.

7. Uptime & Status

We maintain 99.9%+ uptime with multi-region redundancy and 24/7 monitoring:

99.9%+

Uptime Target

60s

Health Check Interval

Global

CDN via Cloudflare

Real-Time Status

Check current system status and historical uptime at:

status.mahakala.app →

8. MCP Security Model

The Model Context Protocol (MCP) allows AI agents to interact with your scheduling system. Here's how we keep it secure:

User-Generated API Keys

MCP connections require an API key you create from your dashboard. No default keys or automatic access.

Per-User Scoping

API keys are scoped to your account only — an AI agent can only access your data, never other users' information.

Same Auth as REST API

MCP calls go through identical authentication, authorization, and rate limiting as our standard API.

Scheduling Scope Only

MCP tools have read/write access for scheduling actions only — no access to billing, account settings, or other users' data.

Instant Revocation

Revoke API keys instantly from your dashboard. All active MCP sessions using that key are immediately terminated.

Audit Trail

All MCP actions are logged in the audit trail (Expert plan) with timestamps, IP addresses, and action details.

9. No Training on Your Data

We do not use your calendar data, booking information, or any personal data to train AI models. Our AI features use third-party language models (via API) with strict no data retention agreements. Your data stays yours — it is never used for model training, shared with AI providers, or repurposed beyond providing scheduling services.

10. Compliance Roadmap

We're committed to industry-leading security and compliance standards:

GDPR Compliant

Full compliance with data deletion, export, consent management, and cookie controls

SOC 2 Type II Certified Infrastructure

Railway, Neon, and Cloudflare are all SOC 2 Type II certified

SOC 2 Type II for mahakala.app

Planned for 2027 — independent audit of security controls, availability, and confidentiality

HIPAA Readiness Assessment

Planned for 2027 — evaluation for healthcare industry compliance

HTTPS Everywhere, TLS 1.3

All connections encrypted with modern TLS 1.3 protocol

Security Headers

Content Security Policy, HSTS, XSS protection, and referrer policy enforced

Frequently Asked Questions

Can AI agents access my email or other calendar events?

No. AI agents via MCP can only access scheduling data (availability, bookings, event types). They cannot read email, calendar event details, or any data outside the scheduling context.

How do I revoke AI agent access?

Go to Settings → API Keys and revoke the key you created for the AI agent. All active sessions using that key are terminated immediately.

Where is my data stored?

Your data is stored in SOC 2 Type II certified infrastructure: Railway (application hosting) and Neon (PostgreSQL database), both in the United States. Data is encrypted at rest and in transit.

Do you share data with third parties?

We only share data with trusted subprocessors (listed above) to provide the service. We never sell, rent, or share your personal data with advertisers or data brokers.

How do I delete all my data?

Account holders can delete their account from Settings → Account → Delete Account. Guests can request deletion via the link in their booking confirmation email or at /guest-data.

Questions or Concerns?

If you have questions about our security practices or need to report a security issue, contact us at:

Security Contact: [email protected]
Subject: "Security Inquiry" or "Vulnerability Report"
Response Time: Within 24 hours for security issues