Skip to main content

Security aspects of connecting calendars via Cronofy

Information on the data that is transferred securely between Teamtailor and Cronofy

Updated over a week ago

Teamtailor uses Cronofy’s services in order to connect user’s calendars and, in doing so, deliver our smart scheduling features.

Read more about the smart scheduling features here:

Integration setup

The integration allows individual users to connect their email/calendar account with their Teamtailor account. An individual user can do this by authorizing access to their own calendar via an OAuth2 flow that Cronofy manages. The credentials are not given to us at Teamtailor, instead only Cronofy tokens are passed on (read more here).

As an alternative to individual calendar connect, we offer Enterprise calendar, which allows the customer greater control regarding how much information to share with Cronofy. Read more about this here: Enterprise calendar

Access mode

Both when using the individual calendar or Enterprise calendar connect, you will start by selecting the preferred access mode, which Cronofy will use to connect your calendar.

If you’re unsure which access mode to choose, we recommend asking your internal IT team for guidance.

Read-Write access

This access mode is best suited for users who want a fully automated scheduling experience with no manual steps.

  • Level of access: With Read-Write access, Cronofy has full access to your user's calendar. It can see all details about existing events (including titles, attendees and times), create new ones, and automatically update or reschedule them when needed.

  • Calendar event creation: When a meeting is booked through Teamtailor, it appears directly on your user's calendar, and any changes are reflected automatically.

Free/Busy access

This access mode is best suited for organizations where IT or compliance teams haven't approved full calendar access. You still get the full scheduling experience, but you will need to manually accept meeting invitations.

  • Level of access: With Free/Busy access, Cronofy can see when you are free or busy, but cannot see any event details. It also cannot create, edit, or delete calendar events.

  • Calendar event creation: When a meeting is booked through Teamtailor, you receive a calendar invitation by email with an .ics file, which you will need to accept to add the event to your calendar.

Cronofy & Security

Cronofy takes the security of your calendar data seriously and has worked hard to ensure security standards are ISO 27001, 27701 & 27018 certified, as well as SOC 2 Type 2 attested.

TLS is enforced for all communication with Cronofy APIs. TLS to calendar services is used where available.

All credentials and calendar data within our systems are encrypted at rest with the AES-256-GCM algorithm using a unique, randomly generated salt for each set of sensitive data. All stored data is encrypted at rest.

Cronofy has strict processes for its internal security and commissions regular 3rd party penetration testing.

The Cronofy service is continuously monitored for availability and utilization by internal and external tools. Current and historic status reports are available at https://status.cronofy.com.

Get more details in their compliance center here.

Cronofy's Access to Data

Email data (Exchange): Email data isn't synchronized if accessible. That would require a significant code change that wouldn't pass Cronofy's change review process.

Calendar data (including events not created by Teamtailor): Access to the calendar information is role-based, the majority have no access, Cronofy’s support agents can see obfuscated levels of detail (start time, end time, free or busy) to be able to check availability-related queries, and support engineers have a higher level in order to investigate synchronization issues.

Calendar events not created by Teamtailor are also synchronized to accurately track availability.

Access reviews are performed quarterly to ensure these people have an appropriate level of access for their role.

You can read more about the data that Cronofy collects here. It outlines the following parts:

  • What data Cronofy is collecting

  • How Cronofy might use data

  • Who will be able to access and amend the information

  • With whom Cronofy will share data

Teamtailor & Security

Teamtailor takes security seriously and employs best practices to ensure that privacy and security are not compromised. All data transferred in or out of the application and between system components/servers is encrypted during transmission with TLS 1.2 or above.

Teamtailor’s main data stores are operated and maintained by AWS and Crunchybridge. All customer data is encrypted at rest with AES-256 block-level encryption. Current storage technologies include Postgresql, OpenSearch, and Amazon S3. Databases and S3 storage buckets are automatically backed up using features provided by our hosting providers. Restore tests are done every 6 months.

Teamtailor audits its security controls annually according to the SOC2 Type 2 standard and conducts annual external penetration tests to identify vulnerabilities in its systems and network security.

The Teamtailor platform, services, and third parties involved in the delivery of our services are monitored 24/7/365 by our Product team. Current and historic status reports are available at: https://status.teamtailor.com

Get more details about the Teamtailors security measures at: Teamtailor Security overview.

Related Articles
Connect your calendar and video service
Schedule meeting rooms for your bookings
List of subprocessors for customers using Teamtailor’s Europe (EU) Region
Enterprise calendar
List of subprocessors for customers using Teamtailor’s North America (NA) Region
Did this answer your question?