Privacy, security, and compliance

KB PrivacyAndSecurity 08MAR2021[center]

Calendly is the cloud app that securely integrates with your calendar and other applications to help you schedule

To protect your privacy and security, we access and retain only the data we need to effectively support your scheduling experience. We also leverage only those permissions required to perform those tasks.

We’re hosted on Amazon Web Services and Heroku

Calendly uses Heroku, the cloud application platform, to operate and deploy our software. Heroku is hosted and managed in Amazon’s secure data centers using Amazon Web Service (AWS) technology. To ensure compliance with industry best practices, Amazon’s data centers are accredited to conform to these industry standards:

  • ISO 27001

  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)

  • PCI Level 1

  • FISMA Moderate

  • Sarbanes-Oxley (SOX) 

For additional information see:
https://aws.amazon.com/security/
https://www.heroku.com/policy/security 

We keep our systems up-to-date

Calendly uses the latest security patches to keep our systems secure. We use compliance best practices to manage vulnerabilities and monitor security mailing lists to track the latest threats. We automatically scan our code to identify potential vulnerable dependencies.

To isolate processes, memory, and the file system we run our processes in Linux containers (LXC) and use host-based firewalls to prevent applications from establishing local network connections. To further limit potential risks, we configure our services with tight network security constraints. AWS and Heroku regularly conduct internal vulnerability assessments and update underlying systems. Learn more about Heroku

We encrypt all data

Calendly encrypts at rest all connections from your browser using TLS SHA-256 with RSA encryption. We store user passwords as salted hashes.

We respond promptly to incidents

We monitor external services and open source libraries for security issues. To ensure we’re promptly notified of data breaches, we sign Data Processing Addendums (DPA) agreement with our vendors.

We use automated tools to continuously scan for service interruptions, performance degradation, and security vulnerabilities and alert our engineers as incidents are detected. Our team determines which systems are involved and quickly contain issues by disconnecting impacted systems and devices. Because all of our services run in containers to isolate processes, memory, and the file system, we often replace impacted systems entirety to inhibit further escalation.

If we find that data is impacted by an incident, we restore that data from a clean backup to ensure that no vulnerabilities remain. For added protection, we store secondary backups in Google Cloud and monitor systems to look for recurrences. We patch ephemeral services and redeploy them to eliminate any chance of malware persistence.

If you discover a security issue

Please contact us at security@calendly.com.

We test all releases

To ensure system availability and provide the best experience, we review and test all updates to Calendly. For each change, we perform unit, integration, and end-to-end tests, then tests changes on our continuous integration server. Our quality assurance team evaluates and manually tests functions expected to be impacted by a change to ensure they're not negatively impacted (regression test).

After we release a change, we continue to monitor and log exceptions and schedule them for resolution. We use several monitoring services to monitor any impact to performance from changes.

We ensure our employees to help secure your data

We conduct pre-employment checks on new Calendly employees and require that they sign a confidentiality agreement. During onboarding and on a recurring basis thereafter, we train employees on company policies, security, privacy, and compliance to ensure they all know how to properly use and protect your data.

To ensure that each device follows our information security standards, including encryption, we secure our employees computers using mobile device management. Our employees’ equipment is defended by anti-malware software, and we run routine phishing tests to further educate and train employees.

_____________


Legal documents
Calendly’s privacy policy
Calendly’s Terms of Use and Data Processing Addendum (DPA)
Calendly’s End User License agreement