Trust center
Security at Overlap
Overlap is designed so public booking and voting do not grant direct access to private account tables. Sensitive mutations run through authenticated, validated server endpoints.
Controls in place
- Encrypted HTTPS transport and production browser-security headers.
- Supabase row-level security with least-privilege browser roles.
- AES-256-GCM encryption for connected-calendar refresh tokens.
- Database-enforced protection against overlapping bookings and duplicate poll finalization.
- Durable IP and account-level abuse limits.
- Signature-verified image uploads with executable SVG content disallowed.
- Daily encrypted off-platform database and Storage backups, plus quarterly restore drills.
- Automated build, test, dependency, uptime, and scheduled-job checks.
Responsible disclosure
If you believe you found a vulnerability, email support@meetoverlap.com with steps to reproduce it. Do not access other people's data, disrupt service, or use destructive testing. We will acknowledge credible reports and work toward a fix.
Scope
Overlap is not currently marketed as HIPAA-compliant, and it is not intended for emergency or clinical workflows. School use should be administered by adults and reviewed under the school's own privacy and vendor requirements.