// Trust & Security Report
Calendly Inc.
Cloud-based meeting scheduling platform for individuals, teams, and enterprises, with integrated Notetaker, Contacts, and Payments features
Certifications held
4
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on calendly.com“If you would like access to our full SOC 2 report, along with Calendly's other security and compliance documents, sign our NDA and access our Security Center”
Verify on calendly.com“If you would like access to our full ISO/IEC 27001 report, along with Calendly's other security and compliance documents, sign our NDA and access our Security Center”
Verify on calendly.com“Calendly relies on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses and the UK Addendum to legally transfer Personal Data submitted relating to individuals in the European Economic Area, the United Kingdom, and Switzerland.”
> Show 2 unconfirmed / not-held certifications
source: calendly.comCalendly offers a Business Associate Agreement to eligible Enterprise customers; for other plans, a BAA is typically unavailable. You should not use those plans for PHI (Protected Health Information).
source: calendly.comCalendly uses a PCI-compliant pay processor Stripe for encrypting and storing credit card details. Most PCI compliance requirements are the responsibility of Stripe, our payment processor.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
United States (with Google Cloud Platform infrastructure)
No explicit information found regarding AI training on customer data. Notetaker feature uses AI for meeting summaries but no training disclosure visible on public pages.
// Security controls
Infrastructure
Kubernetes / Google Cloud Services (GCS) with distributed data centers, continuous monitoring, and layered security
calendly.comIncident Response
Documented incident response plan with identification, containment, recovery, and retrospective phases
calendly.comChange Management
New releases thoroughly reviewed and tested; manual peer review by engineering team required before release
calendly.comVulnerability Management
Continuous monitoring of systems and open source libraries for security issues
calendly.comEmployee Screening
Pre-employment background checks and ongoing screening for all employees
calendly.com// Products & data scope
data: Calendar integrations, event details, attendee information, booking data
Core product with OAuth integration for Google Calendar, Outlook, Office 365, iCloud (deprecated as of Aug 2024)
data: Meeting recordings, transcripts, action items
Beta feature with limited availability. Uses AI to generate meeting recaps.
data: Contact information, communication history
Available on Teams and Enterprise plans for managing relationships and communication tools
data: Payment method tokenization, invoice data
Integrates Stripe and PayPal for payment processing and invoicing
// What to watch
- HIPAA compliance limited to Enterprise tier only; non-Enterprise plans should not handle PHI
- Data residency in US only; no EU or other regional data centers
- GDPR compliance relies on Data Privacy Framework which is subject to legal challenges; has SCCs and UK Addendum as fallback
- ISO 27001 and SOC 2 Type II reports require NDA to access; vendor-domain links direct to Whistic portal
- AI training posture not explicitly disclosed for Notetaker feature; recommend asking vendor directly about opt-out policies
// At a glance
Pricing model
Freemium with tiered pricing: Free, $10/month (Standard), $16/month (Teams), $15k+/year (Enterprise)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Calendly Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
console.whistic.com