Product Security

The Cronofy product team considers security a first-class concern when building and developing any aspect of the Cronofy service.
Encryption in Transit

Cronofy supports TLS 1.2 and TLS 1.3 (where available) to encrypt network traffic between the customer application and Cronofy’s services. TLS is enforced for all communication with Cronofy APIs. TLS to calendar services is used where available.

Encryption at Rest

All calendar and personal data is encrypted at rest. The technologies we use for this currently include Amazon Aurora and Amazon S3.

For particularly sensitive data where the original values are not needed, such as our own passwords, we hash the data using the BCrypt algorithm.

Where the original values are needed, such as authentication details for accessing calendars, the values are encrypted using the AES-256-GCM algorithm using a unique, randomly generated salt for each set of sensitive data.

Penetration Testing

Cronofy commissions quarterly internal security scans and biannual external penetration tests. The outcome of these tests are recorded and actioned within an appropriate timescale.

For example, high priority issues are reviewed internally and remediated as soon as is realistically possible, as per our Patch Management policy.

Calendar Data Permissions

Cronofy uses a given calendar service provider’s permissions schemes to access the end-user calendar.

This normally provides Cronofy’s sync engine with full access to all calendar data accessible by the end-user. In some cases, the permission schemes used also provide access to email and contact data. This is NOT accessed by the Cronofy sync engine.

Cronofy’s permission scheme for application providers allows them to only request the level access required to deliver the functionality they need.