OnCallRadar
Sign inGet started

Security overview

Last updated: June 9, 2026

You are trusting OnCallRadar with the answer to a high-pressure question: who do I call right now? We take that trust seriously. Here is how we protect your data.

Your data is encrypted in transit and at rest

All traffic between you and the Service is encrypted and sent over HTTPS (TLS); we redirect insecure requests to HTTPS. Our PostgreSQL database is hosted on encrypted storage, and database backups are encrypted as well. Sensitive credentials are never stored in plain text: passwords for email accounts are stored only as one-way bcrypt hashes, and sign-in sessions are carried in signed tokens rather than long-lived server-side records.

Strict tenancy isolation

OnCallRadaris multi-tenant by design, and keeping organizations separate is a first-class requirement, not an afterthought. Every request is scoped to the organization on the authenticated session, and every data query is filtered by that organization. There is no cross-organization read path: one organization can never see another organization’s people, schedules, or contact details.

Permission-based access control

Access within an organization is governed by explicit permissions rather than broad roles. Sensitive actions — managing people, changing organization settings, approving changes — are gated on the specific permissions a user holds, and those permissions never cross organization boundaries. Changes to the published on-call schedule flow through an approval workflow, so edits are reviewed and signed off before they go live.

Accountability and audit trail

The roster is intentionally a shared, multi-editor system with no single owner. To keep it accountable, every applied change and every approval decision is written to an immutable change log — who did what, and when. That record is the backbone of trust in the answer the Service gives.

Reliable, regularly-updated infrastructure

The Service runs on managed cloud infrastructure in the European Union with redundant, backed-up storage. We keep our dependencies and platform patched, and we run the application as a containerized deployment so environments are reproducible and easy to roll forward.

Careful data handling

No one at OnCallRadar looks at the content in your account except for limited purposes with your express permission, or in the rare case where an error requires manual intervention to fix. We log account access for security and fraud prevention. For full details on what we collect and how long we keep it, see our Privacy Policy.

Reporting a vulnerability

We welcome reports from security researchers and will work with you in good faith to investigate and fix verified issues. If you believe you have found a security vulnerability, please email us at [email protected] with enough detail to reproduce it. Please do not access or modify data that is not yours, and give us a reasonable chance to respond before any public disclosure. If a breach ever affects your data, we will notify affected customers without undue delay.