Security
DemoTimer is built to do one thing: remind you before your meeting ends. We take the least amount of data needed to do that, and we protect all of it.
Minimal permissions
- We request read-only access to your Google Calendar. DemoTimer never modifies, creates, or deletes calendar events.
- We only access your calendar to identify upcoming external Zoom meetings. Internal meetings are ignored and never stored.
- You can revoke calendar access at any time from your DemoTimer settings or directly from your Google account.
Encryption at rest
- All Google OAuth tokens (access and refresh tokens) are encrypted at rest using AES-256-GCM before being stored in our database.
- Encryption keys are stored separately from the database and are never committed to source code.
- Session cookies are signed with HMAC-SHA256 to prevent tampering.
No meeting content
- DemoTimer never records audio, video, or screen content from your meetings.
- The bot joins the Zoom waiting room (or the call briefly) and leaves within a few seconds. Its only purpose is to trigger the notification chime.
- We store minimal meeting metadata (title, start/end time, and Zoom URL) to schedule reminders. This data is automatically purged after 30 days.
Infrastructure
- DemoTimer is hosted on Vercel with automatic TLS encryption for all traffic.
- Our database is hosted on Supabase with row-level security, encrypted connections, and daily backups.
- All API endpoints use HTTPS. Unencrypted HTTP requests are automatically redirected.
Payments
- All payment processing is handled by Stripe. DemoTimer never sees, stores, or processes credit card numbers.
- Stripe is PCI-DSS Level 1 certified, the highest level of payment security certification.
Webhook verification
- All incoming webhooks (Stripe, Recall.ai) are cryptographically verified before processing.
- Invalid or unsigned webhook requests are rejected immediately.
Have a security question?
Reach out to sam@demotimer.com. Also see our Privacy Policy for more details on data handling.