Quiet, deliberate security.

All traffic to and from Reever uses TLS 1.2+. OAuth access and refresh tokens for connected calendars are encrypted at rest with AES-256-GCM before they touch our database. Database backups are encrypted by default at the storage layer.

Magic-link tokens are single-use, expire in 15 minutes, and are stored as SHA-256 hashes (the plaintext token never lands on disk). Webhook signing secrets rotate on demand. We do not handle card data; Stripe does, and we only see a customer reference.

We read calendar free/busy and event metadata only when computing availability or writing a booking. We do not retain your calendar events in our database beyond what is needed to manage the Reever-created booking. Auto-prep research is generated on demand and stored alongside the specific booking it powers.

The Reever agent and auto-prep features call Anthropic’s API. Under our commercial agreement, Anthropic does not use customer data to train its models. Outputs are generated per request; we keep prompts and responses tied to your account so you can review and delete them.

Production access is limited to authorized engineers, gated by SSO, and audit-logged. Code changes ship through pull-request review and automated tests on every change. Bot defenses run on signup and public booking confirm.

We use a small set of vendors to run the service: Vercel (hosting), Neon (Postgres), Resend (email), Anthropic (AI), Google and Microsoft (calendar OAuth), Stripe (billing), Sentry (error monitoring), Upstash (rate limiting). Each has its own security posture; the full list with purpose is in our Privacy Policy.

Every request gets a unique request ID propagated through logs and surfaced on the response so issues can be traced end-to-end. Errors flow into Sentry with user attribution disabled by default; we never ship message contents off-platform.

Postgres backups run automatically with point-in-time recovery on the primary instance. Our public booking engine uses partial-unique database indexes to make double-bookings impossible at the storage layer, not just at the application layer.