Skip to main content

Security aspects of connecting calendars via Cronofy

Leo Costa avatar
Written by Leo Costa
Updated over a month ago

Mercu uses Cronofy’s services in order to connect user’s calendars and in doing so, deliver our smart scheduling features.

Read more about the automated interview scheduling here.

Integration setup for individual users

In this case, the customer adds the integration by letting their individual users connect their email/calendar account with their Mercu account. An individual user can do this by authorizing access to their own calendar via an OAuth2 flow that Cronofy manages. The credentials are not given to us at Mercu, instead only Cronofy tokens are passed on (read more here).

Data flows

The data flow between Mercu, Cronofy, and the customer are as follows:

Mercu to Cronofy:

  • user email (as invites to the event)

  • user token

  • event details (candidate email/phone, name)

Cronofy to Mercu:

  • Mercu created event details

  • Non-Mercu created booked event time, no specific details outside of time

Customer to Cronofy:

  • your name;

  • company/organisation name;

  • email address;

  • phone number;

  • address;

  • calendar appointments;

  • any information contained within your calendar(s).

For Office365 and Exchange, Cronofy requires full mailbox access due to the permission model. They will only access the data, not use it.

Cronofy & Security

Cronofy takes the security of your calendar data seriously and has worked hard to ensure security standards are ISO 27001, 27701 & 27018 certified, as well as SOC 2 Type 2 attested.

TLS is enforced for all communication with Cronofy APIs. TLS to calendar services is used where available.

All credentials and calendar data within our systems are encrypted at rest with the AES-256-GCM algorithm using a unique, randomly generated salt for each set of sensitive data. All stored data is encrypted at rest.

Cronofy has strict processes for its internal security and commissions regular 3rd party penetration testing.

The Cronofy service is continuously monitored for availability and utilization by internal and external tools. Current and historic status reports are available at https://status.cronofy.com.

Get more details in their compliance center: https://www.cronofy.com/compliance-center

Cronofy's Access to Data

Email data (Exchange): Email data isn't synchronized if accessible. That would require a significant code change that wouldn't pass Cronofy's change review process.

Calendar data (including events not created by Mercu): Access to the calendar information is role-based, the majority have no access, Cronofy’s support agents can see obfuscated levels of detail (start time, end time, free or busy) to be able to check availability-related queries, support engineers have a higher level in order to investigate synchronization issues.

Calendar events not created by Mercu are also synchronized to accurately track availability.

Access reviews are performed quarterly to ensure these people have an appropriate level of access for their role.

Get more details about what data does Cronofy collect here.

Did this answer your question?