// Trust & Security Report

    Cal.com, Inc. logo

    Cal.com, Inc.

    Scheduling and meeting booking software with customizable workflows, video conferencing, and automation. Notable sub-products: Cal.com (managed cloud service), Cal.diy (open-source community edition), Cal.ai (AI phone agent for automated scheduling).

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Cal.com's SOC 2 Type II certification is audited by an independent third party, proving our controls work as intended. Cal.com undergoes an independent external audit every year to maintain our SOC 2 Type II certification.

    Verify on cal.com
    ISO 27001
    HELD

    Cal.com's privacy-by-design scheduling software meets ISO 27001 standards. HIPAA, ISO 27001, SOC 2 Compliant Scheduling App.

    Verify on cal.com
    HIPAA
    HELD

    Cal.com offers a HIPAA compliant Enterprise plan that includes a signed Business Associate Agreement (BAA) and features designed to protect PHI, such as encrypted data storage, access logging, and customizable intake workflows.

    Verify on cal.com
    GDPR
    HELD

    Cal.com's privacy-by-design scheduling software meets GDPR standards. Cal.com offers a Europe option (Cal.eu) that ensures scheduling data stays within Europe, adhering to GDPR regulations.

    Verify on cal.com
    CCPA
    HELD

    Cal.com's data protection rights are covered by the CCPA. Cal.com engages a limited number of third-party service providers to support the delivery of our services, all bound by confidentiality and data protection obligations consistent with applicable privacy laws.

    Verify on cal.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Dual availability: US-based default, EU-based option (Cal.eu) available for GDPR compliance with data stored and processed within EU borders.

    No public evidence found that Cal.com trains its core scheduling engine on customer data. Cal.ai (AI phone agent) is a separate opt-in product; no specific claims found about training practices for that service.

    // Security controls

    Encryption

    Data encrypted in transit and at rest with continuous monitoring and vulnerability management

    cal.com

    Penetration Testing

    Annual third-party penetration testing of web application; regular internal penetration tests

    cal.com

    Access Logging

    Encrypted access logs with role-based access control (RBAC) and audit trails for enterprise plans

    cal.com

    Availability

    99.9% uptime SLA for Enterprise, with option for 99.99% SLA available

    cal.com

    Continuous Monitoring

    Automated continuous monitoring and Vanta-based compliance monitoring year-round with external auditor verification annually

    cal.com

    // Products & data scope

    Cal.com Cloud (Free Plan)Scheduling & Booking

    data: Unlimited event types, calendar syncing, workflow automation, basic video conferencing (Cal Video), Stripe payment integration

    Most feature-rich free tier among competing scheduling tools; no credit card required; unlimited for individuals

    Cal.com Teams ($16/user/month)Scheduling & Booking

    data: Round-robin scheduling, shared team availability, team workflows, advanced reporting

    Designed for small business teams and distributed sales/support groups

    Cal.com Organizations ($37/user/month)Scheduling & Booking

    data: Org-wide admin controls, centralized management, sub-team structure, advanced access control

    For mid-size to large companies requiring enterprise governance without full enterprise pricing

    Cal.com Enterprise (Custom Pricing)Scheduling & Booking

    data: HIPAA BAA, priority support, dedicated database, 99.9% SLA (99.99% option), white-labeling, SSO (SAML), SCIM provisioning, domain enforcement, custom data residency

    Compliant for regulated industries (healthcare, finance). Includes custom domain support via own SMTP (upcoming feature). Most HIPAA-friendly option.

    Cal.ai (AI Phone Agent)AI / Automation

    data: Automated phone calls for meeting scheduling, AI-powered booking agent

    Separate product; add-on to main platform; reduces booking friction through voice automation

    Cal.diy (Open Source Community Edition)Self-Hosted / Open Source

    data: Full scheduling engine, app store framework, booking infrastructure; MIT-licensed

    100% MIT-licensed; no proprietary features; designed for personal/hobbyist self-hosting; not recommended for production; community-maintained

    // At a glance

    Pricing model

    Freemium: Free tier (unlimited for individuals) + Team ($16/user/month) + Organization ($37/user/month) + Enterprise (custom). Cal.diy is free and open source (MIT).

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Cal.com, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    cal.com

    > Browse all vendor trust reports