Skip to main content
All CollectionsSecurity & Compliance
Security aspects of connecting calendars via Cronofy
Security aspects of connecting calendars via Cronofy

Information on the data that is transferred securely between Teamtailor and Cronofy

Evelina Lundmarck avatar
Written by Evelina Lundmarck
Updated over 2 months ago

Teamtailor uses Cronofy’s services in order to connect user’s calendars and in doing so, deliver our smart scheduling features.

Read more about the smart scheduling features here:

Integration setup for individual users

In this case, the customer adds the integration by letting their individual users connect their email/calendar account with their Teamtailor account. An individual user can do this by authorizing access to their own calendar via an OAuth2 flow that Cronofy manages. The credentials are not given to us at Teamtailor, instead only Cronofy tokens are passed on (read more here).

Data flows

The data flow between Teamtailor, Cronofy, and the customer are as follows:

Teamtailor to Cronofy:

  • user email (as invites to the event)

  • user token

  • event details (candidate email, name, Teamtailor-links to jobs and candidate)

Cronofy to Teamtailor:

  • Teamtailor created event details

  • Non-Teamtailor created booked event time, no specific details outside of time

Customer to Cronofy:

  • your name;

  • company/organisation name;

  • email address;

  • phone number;

  • address;

  • calendar appointments;

  • any information contained within your calendar(s).

  • For Office365 and Exchange, Cronofy requires full mailbox access due to the permission model. They will only access the data, not use it.

As an alternative to individual calendar connect, we offer Enterprise Calendar which allows the customer larger control regarding how much information to share with Cronofy. Read more about this here: Enterprise Calendar

Cronofy & Security

Cronofy takes the security of your calendar data seriously and has worked hard to ensure security standards are ISO 27001, 27701 & 27018 certified, as well as SOC 2 Type 2 attested.

TLS is enforced for all communication with Cronofy APIs. TLS to calendar services is used where available.

All credentials and calendar data within our systems are encrypted at rest with the AES-256-GCM algorithm using a unique, randomly generated salt for each set of sensitive data. All stored data is encrypted at rest.

Cronofy has strict processes for its internal security and commissions regular 3rd party penetration testing.

The Cronofy service is continuously monitored for availability and utilization by internal and external tools. Current and historic status reports are available at https://status.cronofy.com.

Get more details in their compliance center: https://www.cronofy.com/compliance-center

Cronofy's Access to Data

Email data (Exchange): Email data isn't synchronized if accessible. That would require a significant code change that wouldn't pass Cronofy's change review process.

Calendar data (including events not created by Teamtailor): Access to the calendar information is role-based, the majority have no access, Cronofy’s support agents can see obfuscated levels of detail (start time, end time, free or busy) to be able to check availability-related queries, support engineers have a higher level in order to investigate synchronization issues.

Calendar events not created by Teamtailor are also synchronized to accurately track availability.

Access reviews are performed quarterly to ensure these people have an appropriate level of access for their role.

Get more details about what data does Cronofy collect here.

Teamtailor & Security

Teamtailor takes security seriously and employs best practices to ensure that privacy and security are not compromised. All data transferred in or out of the application and between system components/servers are encrypted during transmission with TLS 1.2 or above.

Teamtailor’s main data stores are operated and maintained by AWS, and Crunchybridge. All customer data is encrypted at rest with AES-256 block-level encryption. Current storage technologies include Postgresql, OpenSearch, and Amazon S3. Databases and S3 storage buckets are automatically backed up using features provided by our hosting providers. Restore tests are done every 6 months.

Teamtailor audits its security controls annually according to the SOC2 Type 2 standard and conducts annual external penetration tests to identify vulnerabilities in its systems and network security.

The Teamtailor platform, services, and third parties involved in the delivery of our services are monitored 24/7/365 by our Product team. Current and historic status reports are available at: https://status.teamtailor.com

Get more details about the Teamtailors security measures at: Teamtailor Security overview

Did this answer your question?