Security

Built with your data in mind

A summary of how we keep your callsheets, crew records, and account information safe.

Encryption in transit

All traffic to and from Holy Callsheet is encrypted with TLS 1.3. Public share links use the same encryption (no plain-HTTP exposure).

EU data hosting

Project data, crew records, and callsheets are stored in Supabase (Frankfurt, EU-Central-1). Files like brand logos sit in the same region. Stripe handles billing data with PCI-DSS Level 1 compliance.

Row-level security

Every database query is scoped to your account at the database layer. Even if a request slipped through the application code, Postgres would refuse to return data that isn’t yours. Team workspaces follow the same rules: only members of a team can read its data.

Password protection on share links

Pro and Teams accounts can password-protect callsheet share links. Passwords are hashed with bcrypt before storage. We cannot recover them, and neither can an attacker who somehow accesses the database.

Minimal tracking today

Holy Callsheet currently embeds no third-party trackers. The only cookies we set are for keeping you signed in and remembering which workspace you’re viewing. We may add a privacy-respecting analytics or marketing pixel (such as Meta Pixel) in the future. If we do, you’ll see a cookie consent banner first and can opt out.

Sub-processors

We use Supabase (database, auth, file storage), Vercel (web hosting and edge network), Stripe (payments), and Resend (transactional email). Each is GDPR-compliant and listed in our privacy policy.

Found a security issue? We take responsible disclosure seriously. Email security@holycallsheet.com with details. We aim to acknowledge within 24 hours.