Built in Europe with security-by-design
At Cronofy, we are trusted with the calendar data of millions of people. That requires that we place privacy and security at the heart of all of our design decisions, technology choices and processes.
Both of Cronofy’s founders had years of technical experience working in or servicing regulated industries. This ensured that as an organization, from the top down, mature and considered data management was a first class concern, pervading every decision from the very beginning of the company.
A good example of this is how we securely support online booking workflows.
We identified a key limitation in permissions schemes provided by the calendar services offered by Google and Microsoft. If you want to be able to create events in people’s calendars then the service providers require that you have full access to all of the data in their calendar. This is not a desirable position for any organization that is focused on data privacy.
The job to be done is putting events in peoples' calendars at times that they are free. A software application shouldn’t need access to all of the detail of the calendar events in order to achieve that.
To address this, we designed our infrastructure to consider events that people put in their calendars separately to events that applications create via our APIs. This allows applications to request just free busy access to their users’ calendar data yet still create events when bookings are made.
It wasn’t just a case of making this technically possible. We also had to build the security infrastructure around the data to protect it. This required a zero bug policy, fully automated deployment and testing and continuous internal education.
Since first becoming ISO and SOC2 accredited in 2020, we have had zero major or minor non-conformities every time we’ve been audited. This is testament us to not seeing accreditations like these as a badge that allows us to tick a box on an RFP.
Instead, they are an important reassurance to our customers that this is how we do business and that we continue to be good custodians of their data.
Cronofy has achieved the ISO/IEC 27001:2013 certification, the international standard for information security management systems (ISMS). The ISO 27001 certification requires the assessment of our information security management controls.
ISO27018 is a set of controls and guidelines, which specify how to protect Personally Identifiable Information (PII) in the cloud. Cronofy complies with ISO27018, which provides a set of objectives for implementing measures to protect PII. This is in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
Cronofy has achieved ISO 27701:2019, an extension of ISO 27701. Cronofy operates a PIMS (Privacy Information Management System) and data protection processes to an established, world-class standard.
SOC 2 defines the criteria for secure handling and management of customer data. Cronofy has been audited and complies with the standards set out by the AICPA as part of the SOC 2 standard. Cronofy has successfully completed audits for both SOC2 Type 1 and 2.
Cronofy is HIPAA (Health Insurance Portability and Accountability Act) compliant, ensuring that PHI (Patient Healthcare Information) is processed and stored, in line with the Titles defined within HIPAA, specifically, Title II. We can supply a Business Associate Agreement (BAA) on request.
Cronofy adheres to the principles of the European General Data Protection Regulation (GDPR). GDPR is a comprehensive data protection law that governs the collection of and use of personal data of EU citizens and residents, and that allows data subjects to exercise control over their data. It is widely considered to be the most stringent global privacy standard and we're proud to uphold it.
Cronofy has an explicit Privacy Notice in place, that advises users of their rights under the California Consumer Privacy Act (CCPA). We process personal data in line with the requirements set out by the CCPA, for the purpose of providing services. This includes compliance with policies such as Anti-Discrimination, the Right to Be Forgotten, the Right to Access Data Collected, and control over data shared with third parties.