Calendly is a cloud application that provides meeting scheduling as a service. Our platform creates a seamless experience to schedule meetings through securely integrating with calendar providers to check availability.
Our software is designed to request the most limited access to customer resources to achieve a seamless scheduling experience. We are continuously mindful of our customer’s privacy and limit access to all customer data on a need to know basis internally. Calendly applies best security practices retaining a minimal amount of customer data and operating with the fewest privileges necessary to provide a great experience to our users.
This document is meant to be an overview of platform-related privacy, security, and compliance.
Calendar Integrations
Google Calendar and Office365 Integrations
A Calendly user may use either the Google Calendar or Office365 integrations to connect their calendar with Calendly to simplify scheduling. Calendly is built to only access the minimum data needed from connected calendars to deliver its service. In most instances, our Google Calendar and Office365 integrations only use and display the duration and free/busy status of the events in your calendar so that we don’t book you when you’re busy. A few of our features also use and display the meeting titles in your calendar.
Calendly Outlook Plug-in
In most instances, Calendly's Outlook plug-in only uses and displays the duration and free/busy status of the events in your calendar so that we don’t book you when you’re busy. A few of our features also use and display the meeting titles in your calendar.
The Calendly Platform uses websockets to communicate when new bookings are available with the Calendly for Outlook plug-in. Calendly will write appointment time, duration, subject and scheduled attendee information from Calendly to Outlook. All data is encrypted in transit using TLS. Data stored at rest in the underlying storage is encrypted including automated backups, read replicas, and snapshots.
iCloud Calendar Integration
Note
As of August 20, 2024, Calendly no longer supports new connections to iCloud Calendar. Existing connections will continue to be supported, but new users or those who have not previously set up an iCloud Calendar connection will not be able to do so. To learn how to connect a Google, Office 365 or Outlook.com, or Exchange calendar, check out Connecting your calendar.
The Calendly iCloud Calendar integration uses your iCloud credentials to access the iCloud API. Apple has an all or nothing approach to data access in that the same credentials are used for all services. While Calendly securely stores and restricts access to the iCloud credentials we collect, Calendly recommends setting up two-factor authentication on iCloud accounts and using an app-specific password when setting up the Calendly iCloud Calendar Integration.
Authenticating with calendar integrations
We avoid collecting third-party passwords by utilizing OAuth authentication with Office365 and Google Calendar. Calendly users can disconnect their calendar connection at any time through the Calendar Sync page within their account.
When using the Calendly Outlook Plug-in, Calendly requires installation on customer devices to read calendar conflicts and schedule events. Most of our customers prefer to use OAuth calendar integrations.
Booking Pages
The Calendly platform allows users to customize booking pages to collect relevant information from invitees. Calendly is not intended to be used by users to collect sensitive personally identifiable information.
Data Encryption
- All connections from the browser to the Calendly platform are encrypted in transit using TLS SHA-256 with RSA Encryption.
- All data is encrypted at rest.
- Calendly user passwords are stored as salted password hashes
- User passwords for the iCloud Calendar integration are encrypted
Physical Infrastructure
The Calendly application is hosted on Kubernetes / Google Cloud Services (GCS). GCS' data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
For additional information see:
https://cloud.google.com/security
https://kubernetes.io/docs/concepts/security/
Vulnerability Management
We keep our systems up to date with the latest security patches and continuously monitor for new vulnerabilities through compliance and security mailing lists. This includes automatic scanning of our code repositories for vulnerable dependencies. All of our services run in containers that isolate processes, memory, and the file system using LXC while host-based firewalls restrict applications from establishing local network connections. The services are configured with tight network security constraints to further limit any potential risk. The Google Cloud Platform regularly conducts internal vulnerability assessments and patch the underlying systems.
Incident Response Plan
Identification
Calendly routinely monitors our external services and open source libraries for security issues and has executed Data Processing Addendums (DPA) with our vendors to ensure prompt notification of data breaches. Calendly continuously scans Calendly for service interruptions, performance degradation, and security vulnerabilities with automated tools to immediately alert our engineers when an incident has been detected. Users may also report security issues to the security@calendly.com
Containment
Whenever our engineering team is alerted to a security issue, the team determines what systems are affected and quickly contains the problem by disconnecting all affected systems and devices. Because all of our services run in containers that isolate processes, memory, and the file system they are easily replaced and updated in their entirety inhibiting further escalation.
Recovery
If data was found to be affected, it is restored from clean backup files, ensuring that no vulnerabilities remain. Secondary backups are also stored in Google Cloud. Systems are monitored for any recurrence. Ephemeral services are patched and redeployed eliminating any chance of malware persistence.
Retrospective
The Calendly engineering team analyzes every operations incident and how it was handled, making recommendations for better future response and for preventing a recurrence.
Change Management Plan
New releases to the Calendly Platform are thoroughly reviewed and tested to ensure high availability and a great customer experience. Changes to our codebase are required to include unit tests, integration tests, and end-to-end tests. Changes are also run against our continuous integration server. This enables us to automatically detect any issues in development.
Once a changeset is completed, it is manually peer reviewed by one or more members of the engineering team. The changeset is then evaluated and manually tested by our quality assurance team to thoroughly test areas of expected impact, regression test, and further evaluate the user experience.
After a changeset is released, we continue to monitor application exceptions and log exceptions. These exceptions are regularly reviewed and triaged for resolution. Performance impacts of the changeset are monitored through several monitoring services.
Employee Screening and Policies
As a condition of employment, all Calendly employees undergo pre-employment background checks and receive training during onboarding and throughout their employment on company policies, security, GDPR, and other related security, privacy, and compliance topics.
Compliance
PCI Compliance
Calendly uses a PCI-compliant pay processor Stripe for encrypting and storing credit card details. More information on Stripe’s commitment to security and compliance can be found here. We utilize the direct Stripe javascript integration so your credit card information never reaches Calendly’s servers.
https://stripe.com/docs/security/stripe
GDPR Compliance
You can count on the fact that Calendly is committed to GDPR compliance. We understand the importance of incorporating standards put forth by the General Data Protection Regulation (GDPR) into our data practices and making sure our customers, whether citizens of the EU or businesses that use Calendly with European customers, feel secure and confident to continue using Calendly. We have developed new features, enhanced existing functionalities, and established additional documentation regarding our efforts.
However, GDPR is a broad regulation. Since it’s new, and since there is no certification process, no company can legitimately claim that they are GDPR compliant. Calendly makes a good-faith effort to be compliant with GDPR, both now and as future developments come along.
If you integrate Calendly to share invitee information with another application, we designate invitees in GDPR countries as "transactional contacts" so their information is only used to send information about orders, shipments, test message, etc., unless they explicitly opt-in to future, marketing-related emails.
Legal Documents
Calendly Privacy Policy
Our current privacy policy can be found here:
Calendly Terms of Use and Data Processing Addendum (“DPA”)
Our current terms of use, including a link to our data processing addendum, can be found here:
Calendly End User License Agreement
Our current End User License Agreement can be found here: