Where is your data stored?
Calendly user and invitee data is hosted in United States data centers provided by Google and Amazon Web Services (“AWS”). We also have signed Data Processing Addendums (DPAs) with subprocessors of our data.
The Calendly application is hosted on Kubernetes / Google Cloud Services (GCS). GCS' data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
For additional information see:
- All connections from the browser to the Calendly platform are encrypted in transit using TLS SHA-256 with RSA Encryption.
- All data is encrypted at rest.
- Calendly user passwords are stored as salted password hashes.
- User passwords for the iCloud Calendar integration are stored using salted encryption.
International Data Transfers
How do I legally transfer personal data from the EEA or the UK to Calendly for processing?
We take data privacy and protection very seriously, including the transfer of personal data from the EEA or UK to Calendly in the US.
Calendly has incorporated the newest Standard Contractual Clauses and the UK addendum into its Data Processing Agreement (“DPA”) as its legal transfer mechanism under GDPR and UK data privacy laws. Additionally, all of Calendly's sub-processors who receive personal data from Calendly have signed DPAs with Calendly.
Calendly is monitoring legal developments with respect to personal data transfers to the United States, including those related to a new Trans-Atlantic Data Privacy Framework being negotiated by the European Commission and the US. In the meantime, the Standard Contractual Clauses and UK Addendum in our contracts help ensure that adequate safeguards are in place for any onward transfers of personal data to Calendly.
What are Standard Contractual Clauses?
Standard Contractual Clauses (“SCCs”) are form contracts providing obligations on parties with respect to personal data use, protection, and sharing. When parties include SCCs in their contracts, the SCCs allow for the legal transfer of personal data from the EEA to countries not deemed adequate with respect to their data protection laws, such as the United States.
In 2021, the European Commission released a new version of SCCs ("2021 SCCs") as part of changes it made to data privacy laws in response to the European Court of Justice’s 2020 decision known as “Schrems II”. With the Schrems II decision, the Court invalidated Privacy Shield as a valid transfer mechanism for personal data from the EU to the United States due to concerns over US surveillance laws. The 2021 SCCs are currently the only legal mechanism reasonably available to Calendly’s customers to transfer EU personal data to Calendly in the United States. More information regarding the 2021 SCCs can be found on the European Commission’s website here.
What is the UK Addendum?
As one of the many data privacy law changes the UK is working on since it left the European Union, the UK’s Information Commissioner's Office released in May, 2022 its own data transfer agreement, as well as an addendum it will allow organizations to add to and use with the 2021 SCCs (“UK Addendum”) to allow for legal transfers of UK personal data to countries not deemed adequate with respect to their data protection laws, such as the United States. More information regarding the UK addendum can be found on the ICO’s website here.
What are the deadlines by which organizations must include the 2021 SCCs and UK Addendum in their contracts?
- Organizations must begin using the 2021 SCCs in new contracts on September 27, 2021.
- Organizations must update existing contracts to include the 2021 SCCs by December 27, 2022.
- Organizations must begin using the UK Addendum in new contracts on September 21, 2022.
- Organizations must update existing contracts to include the UK Addendum by March 21, 2024.
Does Calendly’s DPA include the 2021 SCCs and the UK Addendum?
Yes. Calendly has updated our DPA to include the 2021 SCCs and the UK Addendum.
Do these updates to Calendly’s DPA to include the 2021 SCCs and the UK Addendum apply to me?
These updates apply to you if you collect personal data from individuals in the EEA or the UK when you use the Calendly platform to schedule meetings.
I need information from Calendly in order to complete a Transfer Impact Assessment. What should I do?
Calendly understands that customers need certain information in order to complete transfer impact assessments. Please contact us to request a copy of our TIA FAQ document which provides information specific to Calendly’s personal data processing and discusses the applicability of US surveillance laws to Calendly.