Your privacy and security

Calendly is a cloud service that simplifies meeting scheduling by securely connecting to calendar providers to check availability. We follow strict security practices, keeping minimal customer data and using only the necessary permissions.

With OAuth calendar integration, Calendly doesn't need access to your device. However, if you use the Calendly Outlook Plug-in, it must be installed to read calendar conflicts and schedule events.

Calendly’s commitment to trust

Customer trust is key to everything we do at Calendly. Our software asks for only the necessary access to provide smooth scheduling, and we never store your calendar details. We protect your privacy by limiting access to customer data internally. Employees receive security training, and access to internal systems is secured with multi-factor authentication.

Physical infrastructure

The Calendly application is hosted on Kubernetes / Google Cloud Services (GCS). GCS' data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

PCI compliance

Calendly uses Stripe, a PCI-compliant pay processor for encrypting and storing credit card details. More information on Stripe’s commitment to security and compliance can be found here. We utilize the direct Stripe javascript integration, so your credit card information never reaches Calendly’s servers.

Customer security best practices

We avoid collecting third-party passwords by utilizing OAuth authentication with Office365 and Google Calendar.

Data Encryption:

  • All connections from the browser to the Calendly platform are encrypted in transit using TLS SHA-256 with RSA Encryption.
  • All data is encrypted when written to disk.
  • User passwords are stored as salted password hashes and never accessible by any Calendly employee.

Is Calendly GDPR compliant?

Calendly is committed to General Data Protection Regulation (GDPR) compliance. We understand the importance of incorporating standards put forth by the GDPR into our data practices and making sure our customers, whether citizens of the EU or businesses that use Calendly with European customers, feel secure and confident to continue using Calendly. We have developed new features, enhanced existing functionalities, and established additional documentation regarding our efforts.

Calendly has designed its data privacy program to be compliant with GDPR, both now and as future developments come along.

In response to the new data protection rules for EU customers based on the General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, we have updated our Terms of Use and Privacy Policy. There is no action required on your part, and the changes should not affect the way you use Calendly. Here are a few of the highlights of the security changes:

  • More clarity and data transparency: We simplified language around the information we collect from our customers and how it is used, along with explanations of your choices for controlling personal information in the Calendly platform.
  • GDPR: The GDPR gives EU citizens more control, choices and rights over how their data is used and puts forth guidelines for the collection and processing of data for businesses. We’ve created a Data Processing Addendum that reflects the new GDPR standards and states how we hold ourselves to these standards as a business.

If you integrate Calendly to share invitee information with another application, we designate invitees in GDPR countries as "transactional contacts" so their information is only used to send information about orders, shipments, test message, etc., unless they explicitly opt-in to future, marketing-related emails. 

To learn more, take a look at our Privacy Policy.