// Trust & Security Report
Flexibits Inc.
Calendar and tasks app for macOS, iOS, Windows, and Apple Watch
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.flexibits.com“Fantastical has completed Microsoft 365 Certification. https://learn.microsoft.com/en-us/microsoft-365-app-certification/saas/fantastical”
Verify on flexibits.com“Do you have GDPR or other privacy or data protection requirements or obligations (such as CCPA)? Yes. Flexibits maintains a DPA incorporating standard contractual clauses for EU/UK transfers, and has appointed an EU GDPR Representative: Felix Gebhard (FX Data UG, Munich).”
> Show 10 unconfirmed / not-held certifications
source: learn.microsoft.comNo public evidence. Microsoft 365 Certification compliance page states: 'Has the organization achieved a Service Organization Controls (SOC 2) Certification? No'
source: learn.microsoft.comNo public evidence. Microsoft 365 Certification compliance page states: 'Has the organization achieved a Service Organization Controls (SOC 1) Certification? No'
source: learn.microsoft.comNo public evidence. Microsoft 365 Certification compliance page states: 'Is the app International Organization for Standardization (ISO 27001) certified? No'
source: learn.microsoft.comNo public evidence. Microsoft 365 Certification compliance page states: 'Does the app comply with International Organization for Standardization (ISO 27018)? No'
source: learn.microsoft.comNo public evidence. Microsoft 365 Certification compliance page states: 'Does the app comply with International Organization for Standardization (ISO 27017)? No'
source: learn.microsoft.comNo public evidence. Microsoft 365 Certification compliance page states: 'Does the app comply with the Health Insurance Portability and Accounting Act (HIPAA)? No'
source: learn.microsoft.comNo public evidence. Microsoft 365 Certification compliance page states: 'Is the app Federal Risk and Authorization Management Program (FedRAMP) compliant? No'
source: learn.microsoft.comNot applicable. Microsoft 365 Certification compliance page states: 'Do you carry out annual PCI DSS assessments against the app and its supporting environment? N/A'. Payment processing is delegated entirely to Stripe Inc.
source: learn.microsoft.comNo public evidence. Microsoft 365 Certification compliance page states: 'Has the app been Cloud Security Alliance (CSA Star) certified? No'
source: trust.flexibits.comNo public evidence of ISO/IEC 42001 or any dedicated AI management certification found on vendor domain or trust center.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States of America (Google Cloud Platform). No EU or regional data residency option available. EEA/UK/Switzerland users have their data transferred to USA under standard contractual clauses.
Flexibits explicitly prohibits AI training on user data. The Privacy FAQ states: 'Emails are deleted immediately after processing and are not used by Flexibits or Google for AI training.' Calendar events, tasks, and contacts remain on device and are not transmitted to Flexibits servers except for specific features (Apple Watch sync, meeting proposals). AI is used for natural language event parsing and email parsing, but the Privacy FAQ confirms these inputs are not retained for model training.
// Security controls
Encryption in transit
TLS 1.2 or higher (confirmed). DPA states encryption in transit via Google Cloud.
learn.microsoft.comEncryption at rest
Data encrypted at rest via Google Cloud. Synced calendar data additionally protected by end-to-end encryption using a per-account Flexibits Account Key, meaning Flexibits cannot read synced event content.
flexibits.comPenetration testing
Annual third-party penetration test. Confirmed in trust center and Microsoft 365 Certification (Application Security: PASS, Penetration Testing: In Scope).
trust.flexibits.comVulnerability scanning
Quarterly vulnerability scanning performed against app and infrastructure.
learn.microsoft.comMulti-factor authentication
MFA enforced for code repositories, DNS management, and credentials.
learn.microsoft.comSecurity incident response
Formal incident response plan with periodic testing. Breach notification within 72 hours of detection to supervisory authorities and affected individuals.
learn.microsoft.comBusiness continuity and disaster recovery
Documented BCP and DR plan in scope for Microsoft 365 Certification. Annual backup restoration testing.
trust.flexibits.comSubprocessors
Google Inc. (cloud hosting, USA), Stripe Inc. (payments), Campaign Monitor (mailing list), Sentry (crash reporting), AccuWeather (weather data). Infrastructure uses both AWS and GCP per Microsoft 365 cert; trust center lists only GCP.
trust.flexibits.comAutomated security alerting
Gap noted: Microsoft 365 Certification discloses that logs are not reviewed on a regular cadence by automated tooling and alerts are not automatically sent to employees when a security event is detected.
learn.microsoft.com// Products & data scope
data: User profile, calendar events, tasks, contacts. Most data stays on device; minimal server-side storage (account metadata, encrypted synced data for Watch/proposals).
Free tier available. Flexibits Premium subscription unlocks advanced features. Personal use. Privacy-first design; calendar data not transmitted to Flexibits servers in standard use.
data: Same as personal. Up to 5 family members share a single premium subscription with individual private accounts.
Personal use only, not for commercial purposes. Each family member has their own private Flexibits Account.
data: Same device-centric data scope as personal, but licensed for commercial/business use by teams of any size.
Commercial use licensed. No additional enterprise data residency or dedicated tenancy offered. DPA available for EU-based organizations.
data: Availability data, meeting proposals sent to third parties (including external recipients who have not agreed to Flexibits terms). DPA explicitly covers meeting proposal recipients as data subjects.
External recipients of scheduling links have their interaction data processed. Covered by the DPA as a distinct data subject category.
// What to watch
- No SOC 2, ISO 27001, or any other major third-party security audit certification. Confirmed explicitly in Microsoft 365 Certification compliance disclosure.
- Data hosted exclusively in the USA (Google Cloud Platform). No EU, UK, or regional data residency option available for privacy-sensitive deployments.
- Microsoft 365 Certification discloses that regular log review cadence is not fully automated and security event alerts are not automatically sent to employees ('No' for both controls). This is a control gap vs. enterprise-grade vendors.
- Trust center lists Google Cloud as sole infrastructure subprocessor, but Microsoft 365 Certification reports both AWS and GCP are used. Minor transparency inconsistency.
- HIPAA explicitly not complied with. Not suitable for covered entities or healthcare use cases.
- AI features (email parsing, natural language input) process user data through Google infrastructure. Privacy FAQ confirms immediate deletion and no training use, but data does transit Google systems.
- Scheduling feature (Openings/Proposals) exposes data of external third-party recipients who have not agreed to Flexibits terms; DPA covers this but buyers should assess.
- Terms of Service governed by New York law with no mention of GDPR; GDPR compliance handled entirely in separate DPA. Organizations relying on the base ToS alone would not have GDPR protections in contract.
// At a glance
Pricing model
Freemium with subscription (Flexibits Premium). Free tier available. Paid tiers: Individual, Families (up to 5), Teams. Pricing per user per month/year.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Flexibits Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.flexibits.com