Calendox

Data Security at Calendox

Data Security

Last updated: June 18, 2026
This Data Security policy describes the technical and organizational measures Calendox uses to protect Your Personal Data and calendar information. By using our Service, you acknowledge the practices described in this policy.
Please read this policy alongside our Privacy Policy, which describes what data We collect and why.

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Data Security policy:

  • Company(referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to Calendox.
  • Country refers to: Netherlands
  • Service refers to Calendox, your intelligent calendar assistant that helps you manage time, schedule meetings, and stay organized with AI-powered insights.
  • Personal Data means any information that relates to an identified or identifiable individual.
  • Account means a unique account created for You to access our Service or parts of our Service.
  • You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

Our Approach to Security

Calendox is built around a simple principle: We only access the calendar data needed to provide the sync and scheduling features You enable, and We protect that data using layered technical controls at every stage of the request — from authentication, through authorization and storage, to the connections We make with Google, Microsoft, and other third-party providers.
While no method of transmission over the Internet or electronic storage is completely secure, We use commercially accepted standards and continuously review our practices to reduce risk.

Encryption

  • Encryption in transit: All connections to the Service are served over HTTPS. We enforce HTTP Strict Transport Security (HSTS) so browsers always connect over an encrypted channel and protocol downgrades are rejected.
  • Encryption at rest: Account data and calendar metadata are stored in a managed PostgreSQL database hosted on secure cloud infrastructure with encryption at rest.
  • OAuth tokens: Access and refresh tokens issued by Google, Microsoft, and other connected providers are stored server-side only. They are never sent to or stored in Your browser — the client only ever holds a reference to Your authenticated session.

Authentication and Account Protection

  • Sign-in is handled through passwordless magic links and OAuth 2.0 with Google and Microsoft — there are no passwords for Us to store or for attackers to steal.
  • Sessions are managed as signed, HTTP-only cookies. The cookie contains only a reference to a server-side session — never credentials, tokens, or calendar data.
  • Every request to a protected part of the Service is independently verified server-side, so a compromised browser or network cannot bypass authentication.

Data Isolation and Access Control

Your data is isolated at the database level using row-level security policies, so Your account, syncs, and calendar events can only be read or modified within the context of Your own Account (or, for Enterprise accounts, Your organization's tenant). This isolation is enforced by the database itself, not only by application code.
Resources You access — such as a sync, calendar, or event — are always verified for ownership before any read or write occurs, preventing one user or organization from accessing another's data.

Infrastructure Protection

Our infrastructure applies multiple layers of defense to every request:

  • Security headers (HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and a restrictive Permissions-Policy) are applied to every response to reduce the risk of clickjacking, content injection, and data leakage.
  • Sensitive endpoints (such as billing and team invitations) are rate-limited per account to prevent abuse.
  • Bot and automated-abuse protection (Cloudflare Turnstile) is used on public forms such as Contact Us.

Calendar Provider and Webhook Security

When You connect Google Calendar, Microsoft Outlook/Exchange, or other supported providers, real-time updates are delivered to Calendox through provider webhooks. Every incoming webhook is cryptographically verified against its provider-issued signature before its contents are read or processed — unverified or unsigned requests are rejected immediately and never reach Your data.
Each webhook event is also checked against a record of previously processed events, so a redelivered or duplicated notification cannot be processed twice.

Data Minimization

  • Your calendar event content — titles, descriptions, and locations — is not storedin Calendox's database. We display it by reading it live from Your connected provider each time, and internally use only a one-way, non-reversible fingerprint to detect whether an event has changed since the last sync.
  • We do not analyze, mine, or derive insights from the content of Your calendar events (titles, descriptions, locations, or attendees).
  • Error monitoring is configured to automatically scrub calendar event content (titles, descriptions, locations, attendees) before it is transmitted to our error-tracking tools.
  • When You disconnect a calendar, remove a sync, or delete Your Account, the associated synced data is automatically and permanently removed — including, for Business and Enterprise teams, calendar and directory data belonging to the team when it is deleted.

Vulnerability Management

We follow a documented secure development lifecycle that includes code review, automated dependency vulnerability scanning before each release, and prioritized remediation of security findings by severity.

Reporting a Security Issue

If You believe You have found a security vulnerability in the Service, please report it responsibly rather than disclosing it publicly. You can reach our security team by email and we will acknowledge reports promptly and work with you on coordinated disclosure.

Changes to This Policy

We may update this Data Security policy from time to time as our practices and infrastructure evolve. We will post any changes on this page and update the "Last updated" date above. We encourage You to review this policy periodically.

Contact Us

If you have any questions about this Data Security policy, You can contact us: