Last updated: 2026-02-16
Security and data handling
This page summarizes current security controls and trust posture so buyers can evaluate Setmate quickly and clearly.
Payments and card data
Payments are processed by Stripe. Setmate does not store raw card numbers or CVC values. Transaction records and identifiers are retained for billing and reconciliation.
Encryption and transport
Connections to Setmate are protected with HTTPS/TLS. Access to connected providers is granted through OAuth-based authorization flows.
Data controls
Businesses can export data and request deletion or anonymization through supported account workflows, subject to legal and operational retention obligations.
Integrations and access
Integrations such as Google Calendar, Calendly, HubSpot, and Xero use revocable OAuth access where available. Access can be disconnected when no longer needed.
Security controls at a glance
| Area | Control | Current implementation |
|---|---|---|
| Payment data | Stripe-hosted payment processing | Card entry and processing are handled by Stripe. Setmate does not store raw card numbers or CVC values. |
| Transport security | HTTPS/TLS encryption in transit | Traffic to Setmate is served over HTTPS/TLS to protect data in transit. |
| Integration access | OAuth-based, revocable provider access | Google, Calendly, HubSpot, and Xero integrations use OAuth flows where available and can be disconnected. |
| Secrets handling | No OAuth token exposure to client responses | Public API responses avoid serializing OAuth/refresh token fields. |
| Data rights | Export and deletion controls | Businesses can export data and request deletion/anonymization workflows, subject to legal retention obligations. |
| Logging posture | Sensitive token-safe logging guidance | Code paths include safeguards to avoid logging raw OAuth/token payloads. |
Compliance and assurance status
- • PCI card handling is provided via Stripe's payment stack.
- • OAuth-based access is used for supported integrations.
- • Data export/deletion controls are available for business accounts.
- • Security claims on this page reflect currently deployed controls and published policy language.
For legal terms and processing details, review the Privacy Policy and Terms of Service.
Subprocessor summary
Setmate uses third-party providers for infrastructure, payments, integrations, and AI operations.
Incident and vulnerability reporting
To report a potential security issue, email contact@setmate.io with subject line Security Report.
Include reproduction steps, impacted endpoints, and severity context when possible.
Procurement and security review support
Need security questionnaire support, data handling clarification, or buyer diligence assistance?
Request security review supportNeed a security review before rollout?
We can support buyer diligence questions and implementation trust requirements.
No credit card required