Calendly security and privacy

Connect with confidence and join millions of successful people and thousands of businesses who trust Calendly

Security and privacy are important to you and the people you meet. We adhere to two clear security and privacy principles: your data is yours, alone, and we must ensure security and privacy throughout the scheduling experience for our customers and your contacts.
Tope Awotona, Founder and CEO, Calendly

5M+ users

36K+ businesses

Worry-free calendar connection

Zero knowledge

Calendly never stores personally identifiable information associated with your connected calendar like participants, contact information and notes. We only use your connected calendar to read your busy times to prevent double booking.

Secure authentication

Calendly offers Google and Office365 users a secure OAuth connection—meaning Calendly never reads or stores your passwords. iCloud calendar connection passwords are stored encrypted. For users logging in with email and password, Calendly always salts the credentials.

Zero email access

Calendly never accesses your email contacts or address book. We also do not read the emails you send and receive associated with your connected email account or calendar.

Want detailed specifications on how we connect securely with your calendar?

Read our white paper

It’s your data, not ours—and we work hard to keep it secure

Calendly has a dedicated team of compliance and security experts to ensure rigorous privacy and security standards are met. Here are the policies, procedures and technologies we use to comply with and exceed industry standard requirements.

Data hosting
Security and compliance programs
Application security measures
Data hosting
Data Hosting
Amazon Web Services Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers. Calendly leverages all of the platform’s built-in security, privacy and redundancy features. AWS continually monitors its data centers for risk and undergoes assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under: ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX).
Heroku The Calendly application is hosted on Heroku using AWS technology. See Heroku’s Commitment to Trust.
Google Calendly backups are replicated between AWS and Google Cloud Platform for high redundancy. See Google’s Trust and Security.
Encryption Data that passes through Calendly is encrypted, both in transit and at rest. All connections from the browser to the Calendly platform are encrypted in transit using TLS SHA-256 with RSA Encryption. Calendly requires HTTPS for all services. Calendly uses HSTS to ensure browsers interact with Calendly only over HTTPS and is on the HSTS preloaded lists for both Google Chrome and Mozilla Firefox.
Security and compliance programs
Background checks All Calendly employees go through a thorough background check before hire.
Training While we retain a minimal amount of customer data and limit internal access on a need-to-know basis, all employees are trained on security and data handling to ensure that they uphold our strict commitment to the privacy and security of your data.
Confidentiality All employees sign a confidentiality agreement before they start at Calendly.
Reliability and redundancy
Business continuity and disaster recovery We have business continuity and disaster recovery plans in place that replicate our database and back up the data onto multiple cloud providers to ensure high availability.
Software development lifecycle
Routine audits Calendly continuously scans the product for service interruptions, performance degradation and security vulnerabilities to immediately alert our engineers and take action when an incident has been detected.
New releases New releases to the Calendly platform are thoroughly reviewed and tested to ensure high availability and a great customer experience. Changes to our codebase are required to include unit tests, integration tests and end-to-end tests. Changes are run against our continuous integration server, which enables us to automatically detect any issues in development.
Quality assurance testing Once a changeset is completed, it is manually peer reviewed by one or more members of the engineering team. The changeset is then evaluated and manually tested by our quality assurance team to thoroughly test areas of expected impact, regression test and further evaluate the user experience.
Continual monitoring After a changeset is released, we continue to monitor application exceptions and log exceptions. These exceptions are regularly reviewed and triaged for resolution. Performance impacts of the changeset are monitored through several monitoring services.
Vulnerability control
Mobile device management (MDM) We secure our employees' machines and laptops using mobile device management to ensure that each device follows our information security standards, including encryption.
Malicious software prevention Our employees’ equipment is defended by anti-malware software, and we run routine phishing tests to further educate and train employees.
Vulnerability scanning We keep our systems up to date with the latest security patches and continuously monitor for new vulnerabilities through compliance and security mailing lists. This includes automatic scanning of our code repositories for vulnerable dependencies.
Application security measures
Login credential protection For Google Calendar and Office365 calendar connections, Calendly never collects passwords. Using a secure OAuth connection to sync these calendars only grants Calendly access to your calendar account through a secure token from your email provider. This also enables you to set additional security precautions with that provider including 2-factor authentication (2FA). For iCloud users, we recommend setting up 2FA and application-specific passwords.
Deprovisioning Since Calendly offers seamless OAuth through Google Calendar and Office365, calendar connection is eliminated automatically when your account is canceled.

Looking for more information on Calendly’s security and privacy?

Read our white paper

Certifications and compliance

SOC 2 Type 2

SOC 2 is the gold standard for security compliance. We have obtained SOC 2 Type 2 certification for our commitment to establish and follow security policies and procedures.

PCI compliant

We are PCI compliant through our payment processor, Stripe, which encrypts and stores credit card details.

GDPR committed

We have incorporated GDPR standards into data practices to make sure our customers, whether citizens of the EU or businesses with European customers, feel secure to use Calendly. Learn more about Calendly and GDPR.

500+ 5-star reviews

We’re always improving and always available

If you think you may have found a security vulnerability, have suggestions that will help to protect privacy or have questions for our team, please contact us at For more information on security and privacy, visit our Help Center.