Where is your data stored?
Calendly user and invitee data is hosted in United States data centers provided by Google and Amazon Web Services (“AWS”). We also have signed Data Processing Addendums (DPAs) with subprocessors of Customer Data.
Infrastructure Compliance
The Calendly application is hosted on Kubernetes / Google Cloud Services (GCS). GCS' data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
For additional information see:
Data Encryption
- All connections from the browser to the Calendly platform are encrypted in transit using TLS SHA-256 with RSA Encryption.
- All data is encrypted at rest.
- Calendly user passwords are stored as salted password hashes.
- User passwords for the iCloud Calendar integration are stored using salted encryption.
International Data Transfers
How do I legally transfer personal data from the EEA or the UK to Calendly for processing?
We take data privacy and protection very seriously, including the transfer of personal data from the EEA or UK to Calendly in the US.
Calendly has incorporated the newest Standard Contractual Clauses and the UK addendum into its Data Processing Agreement (“DPA”) as its legal transfer mechanism under GDPR and UK data privacy laws. Additionally, all of Calendly's sub-processors who receive Customer personal data from Calendly have signed DPAs with Calendly.
Calendly is monitoring legal developments with respect to personal data transfers to the United States, including those related to a new Trans-Atlantic Data Privacy Framework being negotiated by the European Commission and the US. In the meantime, the Standard Contractual Clauses and UK Addendum in our contracts help ensure that adequate safeguards are in place for any onward transfers of personal data to Calendly.
What are Standard Contractual Clauses?
Standard Contractual Clauses (“SCCs”) are form contracts providing obligations on parties with respect to personal data use, protection, and sharing. When parties include SCCs in their contracts, the SCCs allow for the legal transfer of personal data from the EEA to countries not deemed adequate with respect to their data protection laws, such as the United States.
What is the UK Addendum?
As one of the many data privacy law changes the UK is working on since it left the European Union, the UK’s Information Commissioner's Office released its own data transfer agreement in May 2022, as well as an addendum it will allow organizations to add to and use with the 2021 SCCs (“UK Addendum”).
Does Calendly’s DPA include the 2021 SCCs and the UK Addendum?
Yes. Calendly has updated our DPA to include the 2021 SCCs and the UK Addendum.
Do these updates to Calendly’s DPA to include the 2021 SCCs and the UK Addendum apply to me?
These updates apply to you if you collect personal data from individuals in the EEA or the UK when you use the Calendly platform to schedule meetings.
I need information from Calendly in order to complete a Transfer Impact Assessment. What should I do?
Calendly understands that customers need certain information in order to complete transfer impact assessments. Please contact us to request a copy of our TIA FAQ document which provides information specific to Calendly’s personal data processing and discusses the applicability of US surveillance laws to Calendly.