// Trust & Security Report

    Calendly Inc. logo

    Calendly Inc.

    Cloud-based meeting scheduling platform for individuals, teams, and enterprises, with integrated Notetaker, Contacts, and Payments features

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    If you would like access to our full SOC 2 report, along with Calendly's other security and compliance documents, sign our NDA and access our Security Center

    Verify on calendly.com
    ISO 27001
    HELD

    If you would like access to our full ISO/IEC 27001 report, along with Calendly's other security and compliance documents, sign our NDA and access our Security Center

    Verify on calendly.com
    SOC 3
    HELD

    SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)

    Verify on calendly.com
    GDPR
    HELD

    Calendly relies on the EU-U.S. Data Privacy Framework, Standard Contractual Clauses and the UK Addendum to legally transfer Personal Data submitted relating to individuals in the European Economic Area, the United Kingdom, and Switzerland.

    Verify on calendly.com
    > Show 2 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    Calendly offers a Business Associate Agreement to eligible Enterprise customers; for other plans, a BAA is typically unavailable. You should not use those plans for PHI (Protected Health Information).

    source: calendly.com
    PCI DSS
    NOT CONFIRMED

    Calendly uses a PCI-compliant pay processor Stripe for encrypting and storing credit card details. Most PCI compliance requirements are the responsibility of Stripe, our payment processor.

    source: calendly.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    United States (with Google Cloud Platform infrastructure)

    No explicit information found regarding AI training on customer data. Notetaker feature uses AI for meeting summaries but no training disclosure visible on public pages.

    // Security controls

    Encryption in Transit

    TLS SHA-256 encryption for all browser-to-platform connections

    calendly.com

    Encryption at Rest

    All data encrypted at rest

    calendly.com

    Password Security

    Passwords stored as salted password hashes

    calendly.com

    Infrastructure

    Kubernetes / Google Cloud Services (GCS) with distributed data centers, continuous monitoring, and layered security

    calendly.com

    Incident Response

    Documented incident response plan with identification, containment, recovery, and retrospective phases

    calendly.com

    Change Management

    New releases thoroughly reviewed and tested; manual peer review by engineering team required before release

    calendly.com

    Vulnerability Management

    Continuous monitoring of systems and open source libraries for security issues

    calendly.com

    Employee Screening

    Pre-employment background checks and ongoing screening for all employees

    calendly.com

    // Products & data scope

    Calendly SchedulingMeeting Scheduling

    data: Calendar integrations, event details, attendee information, booking data

    Core product with OAuth integration for Google Calendar, Outlook, Office 365, iCloud (deprecated as of Aug 2024)

    Calendly NotetakerAI Meeting Summaries

    data: Meeting recordings, transcripts, action items

    Beta feature with limited availability. Uses AI to generate meeting recaps.

    Calendly ContactsContact Management

    data: Contact information, communication history

    Available on Teams and Enterprise plans for managing relationships and communication tools

    Calendly PaymentsPayment Processing

    data: Payment method tokenization, invoice data

    Integrates Stripe and PayPal for payment processing and invoicing

    // What to watch

    • HIPAA compliance limited to Enterprise tier only; non-Enterprise plans should not handle PHI
    • Data residency in US only; no EU or other regional data centers
    • GDPR compliance relies on Data Privacy Framework which is subject to legal challenges; has SCCs and UK Addendum as fallback
    • ISO 27001 and SOC 2 Type II reports require NDA to access; vendor-domain links direct to Whistic portal
    • AI training posture not explicitly disclosed for Notetaker feature; recommend asking vendor directly about opt-out policies

    // At a glance

    Pricing model

    Freemium with tiered pricing: Free, $10/month (Standard), $16/month (Teams), $15k+/year (Enterprise)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Calendly Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    console.whistic.com

    > Browse all vendor trust reports