Calendly is a cloud application that provides meeting scheduling as a service. Our platform creates a seamless experience to schedule meetings through securely integrating with calendar providers to check availability. Calendly applies best security practices retaining a minimal amount of customer data and operating with the fewest privileges necessary to provide a great experience.
When using OAuth calendar integration, Calendly does not require any access to customer computing resources. When using the Calendly Outlook Plug-in, Calendly requires installation on computing resources to read calendar conflicts and schedule events.
IN THIS ARTICLE:
Calendly’s commitment to trust
Customer trust is critical to everything we do at Calendly. Our software is designed to request the most limited access to customer resources to achieve a seamless scheduling experience. We never store any of your calendar details. We are continuously mindful of our customer’s privacy and limit access to all customer data on a need to know basis internally. Our employees are given security training during on-boarding and access to internal systems is further protected by multi-factor authentication.
We leverage the Heroku platform to serve our Calendly website. Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers utilizing the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
All Calendly data is encrypted at rest and in-transit using 256 encryption.
Customer security best practices
We avoid collecting third-party passwords by utilizing OAuth authentication with Office365 and Google Calendar.
- All connections from the browser to the Calendly platform are encrypted in transit using TLS SHA-256 with RSA Encryption.
- All data is encrypted when written to disk.
- User passwords are stored as salted password hashes and never accessible by any Calendly employee.
Is Calendly GDPR compliant?
Calendly is committed to General Data Protection Regulation (GDPR) compliance. We understand the importance of incorporating standards put forth by the GDPR into our data practices and making sure our customers, whether citizens of the EU or businesses that use Calendly with European customers, feel secure and confident to continue using Calendly. We have developed new features, enhanced existing functionalities, and established additional documentation regarding our efforts.
However, GDPR is a really broad regulation. Since it’s new, and since there is no certification process, no company can legitimately claim that they are GDPR compliant. Calendly makes a good-faith effort to be compliant with GDPR, both now and as future developments come along.
- More clarity and data transparency: We simplified language around the information we collect from our customers and how it is used, along with explanations of your choices for controlling personal information in the Calendly platform.
- GDPR: The GDPR gives EU citizens more control, choices and rights over how their data is used and puts forth guidelines for the collection and processing of data for businesses. We’ve created a Data Processing Addendum that reflects the new GDPR standards and states how we hold ourselves to these standards as a business.
If you integrate Calendly to share invitee information with another application, we designate invitees in GDPR countries as "transactional contacts" so their information is only used to send information about orders, shipments, test message, etc., unless they explicitly opt-in to future, marketing-related emails.