// Trust & Security Report

    Flexibits Inc. logo

    Flexibits Inc.

    Calendar and tasks app for macOS, iOS, Windows, and Apple Watch

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    Microsoft 365 Certified
    HELD

    Fantastical has completed Microsoft 365 Certification. https://learn.microsoft.com/en-us/microsoft-365-app-certification/saas/fantastical

    Verify on trust.flexibits.com
    GDPR
    HELD

    Do you have GDPR or other privacy or data protection requirements or obligations (such as CCPA)? Yes. Flexibits maintains a DPA incorporating standard contractual clauses for EU/UK transfers, and has appointed an EU GDPR Representative: Felix Gebhard (FX Data UG, Munich).

    Verify on flexibits.com
    > Show 10 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    No public evidence. Microsoft 365 Certification compliance page states: 'Has the organization achieved a Service Organization Controls (SOC 2) Certification? No'

    source: learn.microsoft.com
    SOC 1
    NOT CONFIRMED

    No public evidence. Microsoft 365 Certification compliance page states: 'Has the organization achieved a Service Organization Controls (SOC 1) Certification? No'

    source: learn.microsoft.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. Microsoft 365 Certification compliance page states: 'Is the app International Organization for Standardization (ISO 27001) certified? No'

    source: learn.microsoft.com
    ISO 27018
    NOT CONFIRMED

    No public evidence. Microsoft 365 Certification compliance page states: 'Does the app comply with International Organization for Standardization (ISO 27018)? No'

    source: learn.microsoft.com
    ISO 27017
    NOT CONFIRMED

    No public evidence. Microsoft 365 Certification compliance page states: 'Does the app comply with International Organization for Standardization (ISO 27017)? No'

    source: learn.microsoft.com
    HIPAA
    NOT CONFIRMED

    No public evidence. Microsoft 365 Certification compliance page states: 'Does the app comply with the Health Insurance Portability and Accounting Act (HIPAA)? No'

    source: learn.microsoft.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. Microsoft 365 Certification compliance page states: 'Is the app Federal Risk and Authorization Management Program (FedRAMP) compliant? No'

    source: learn.microsoft.com
    PCI DSS
    NOT CONFIRMED

    Not applicable. Microsoft 365 Certification compliance page states: 'Do you carry out annual PCI DSS assessments against the app and its supporting environment? N/A'. Payment processing is delegated entirely to Stripe Inc.

    source: learn.microsoft.com
    CSA STAR
    NOT CONFIRMED

    No public evidence. Microsoft 365 Certification compliance page states: 'Has the app been Cloud Security Alliance (CSA Star) certified? No'

    source: learn.microsoft.com
    ISO/IEC 42001 (AI Management)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 or any dedicated AI management certification found on vendor domain or trust center.

    source: trust.flexibits.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States of America (Google Cloud Platform). No EU or regional data residency option available. EEA/UK/Switzerland users have their data transferred to USA under standard contractual clauses.

    Flexibits explicitly prohibits AI training on user data. The Privacy FAQ states: 'Emails are deleted immediately after processing and are not used by Flexibits or Google for AI training.' Calendar events, tasks, and contacts remain on device and are not transmitted to Flexibits servers except for specific features (Apple Watch sync, meeting proposals). AI is used for natural language event parsing and email parsing, but the Privacy FAQ confirms these inputs are not retained for model training.

    // Security controls

    Encryption in transit

    TLS 1.2 or higher (confirmed). DPA states encryption in transit via Google Cloud.

    learn.microsoft.com

    Encryption at rest

    Data encrypted at rest via Google Cloud. Synced calendar data additionally protected by end-to-end encryption using a per-account Flexibits Account Key, meaning Flexibits cannot read synced event content.

    flexibits.com

    Penetration testing

    Annual third-party penetration test. Confirmed in trust center and Microsoft 365 Certification (Application Security: PASS, Penetration Testing: In Scope).

    trust.flexibits.com

    Vulnerability scanning

    Quarterly vulnerability scanning performed against app and infrastructure.

    learn.microsoft.com

    Continuous security monitoring

    Continuously monitored by Secureframe.

    trust.flexibits.com

    Multi-factor authentication

    MFA enforced for code repositories, DNS management, and credentials.

    learn.microsoft.com

    Security incident response

    Formal incident response plan with periodic testing. Breach notification within 72 hours of detection to supervisory authorities and affected individuals.

    learn.microsoft.com

    Business continuity and disaster recovery

    Documented BCP and DR plan in scope for Microsoft 365 Certification. Annual backup restoration testing.

    trust.flexibits.com

    Subprocessors

    Google Inc. (cloud hosting, USA), Stripe Inc. (payments), Campaign Monitor (mailing list), Sentry (crash reporting), AccuWeather (weather data). Infrastructure uses both AWS and GCP per Microsoft 365 cert; trust center lists only GCP.

    trust.flexibits.com

    Automated security alerting

    Gap noted: Microsoft 365 Certification discloses that logs are not reviewed on a regular cadence by automated tooling and alerts are not automatically sent to employees when a security event is detected.

    learn.microsoft.com

    // Products & data scope

    Fantastical Personal (Free + Premium)Calendar and task management app

    data: User profile, calendar events, tasks, contacts. Most data stays on device; minimal server-side storage (account metadata, encrypted synced data for Watch/proposals).

    Free tier available. Flexibits Premium subscription unlocks advanced features. Personal use. Privacy-first design; calendar data not transmitted to Flexibits servers in standard use.

    Fantastical for FamiliesCalendar and task management app

    data: Same as personal. Up to 5 family members share a single premium subscription with individual private accounts.

    Personal use only, not for commercial purposes. Each family member has their own private Flexibits Account.

    Fantastical for TeamsCalendar and task management app (commercial)

    data: Same device-centric data scope as personal, but licensed for commercial/business use by teams of any size.

    Commercial use licensed. No additional enterprise data residency or dedicated tenancy offered. DPA available for EU-based organizations.

    Fantastical Scheduling (Openings, Proposals)Meeting scheduling

    data: Availability data, meeting proposals sent to third parties (including external recipients who have not agreed to Flexibits terms). DPA explicitly covers meeting proposal recipients as data subjects.

    External recipients of scheduling links have their interaction data processed. Covered by the DPA as a distinct data subject category.

    // What to watch

    • No SOC 2, ISO 27001, or any other major third-party security audit certification. Confirmed explicitly in Microsoft 365 Certification compliance disclosure.
    • Data hosted exclusively in the USA (Google Cloud Platform). No EU, UK, or regional data residency option available for privacy-sensitive deployments.
    • Microsoft 365 Certification discloses that regular log review cadence is not fully automated and security event alerts are not automatically sent to employees ('No' for both controls). This is a control gap vs. enterprise-grade vendors.
    • Trust center lists Google Cloud as sole infrastructure subprocessor, but Microsoft 365 Certification reports both AWS and GCP are used. Minor transparency inconsistency.
    • HIPAA explicitly not complied with. Not suitable for covered entities or healthcare use cases.
    • AI features (email parsing, natural language input) process user data through Google infrastructure. Privacy FAQ confirms immediate deletion and no training use, but data does transit Google systems.
    • Scheduling feature (Openings/Proposals) exposes data of external third-party recipients who have not agreed to Flexibits terms; DPA covers this but buyers should assess.
    • Terms of Service governed by New York law with no mention of GDPR; GDPR compliance handled entirely in separate DPA. Organizations relying on the base ToS alone would not have GDPR protections in contract.

    // At a glance

    Pricing model

    Freemium with subscription (Flexibits Premium). Free tier available. Paid tiers: Individual, Families (up to 5), Teams. Pricing per user per month/year.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Flexibits Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.flexibits.com

    > Browse all vendor trust reports