Security

We encrypt your data in transit with TLS and at rest in our data stores. Connections to the site and product are served over HTTPS, and credentials and access tokens for the accounts you connect are stored encrypted.

Access to production systems and customer data follows the principle of least privilege: people get only the access their role requires, and access is reviewed and revoked when it’s no longer needed.

We do not browse your data. Staff access is limited to what’s needed to operate the service, provide support you request, maintain security, or comply with the law — and it’s logged.

When you connect a calendar or meeting tool, we request the minimum access needed to deliver the feature and store the access tokens encrypted. Disconnecting an account revokes our access going forward and deletes the data we hold from it, except where we must retain it to meet a legal obligation.

Payments are processed by Stripe, a PCI-DSS Level 1 provider. We never see or store your full card number — Stripe handles card data and shares only what we need to manage your subscription.

Calen360 runs on managed, reputable cloud infrastructure with provider-level network and physical security. We use a small set of vetted sub-processors to operate the service and review their security practices; the current list is in our Privacy Policy.

We log activity across our systems to detect and investigate suspicious behavior, and we keep backups so we can recover from failures. We work to keep the service available and to restore it quickly if something goes wrong.

We maintain an internal process for responding to security incidents. If a breach affects your personal information, we’ll notify you and the relevant authorities as required by law, and take steps to contain and remediate it.

Security is shared. You can help protect your account by:

• using a strong, unique password and enabling any available extra sign-in protection;
• being careful about who you invite and what access you grant them;
• disconnecting calendars or meeting tools you no longer use; and
• obtaining any consent the law requires before you capture a meeting.

We align our practices with widely-used security and privacy standards and design the product to support data-protection requirements such as the GDPR and U.S. state privacy laws. We do not currently claim formal certifications (such as SOC 2 or ISO 27001); as we complete them, we’ll publish them here.

If you believe you’ve found a security issue, please email [email protected] with the details and steps to reproduce. We appreciate responsible disclosure, will acknowledge your report, and ask that you give us a reasonable chance to fix the issue before sharing it publicly. Please don’t access or modify other people’s data while testing.