Cronofy is committed to maintaining a robust and up to date information security program. A pillar of our commitment to data protection is how we apply GDPR standards to all our data, not just EU data.
ISO27001:2013 is an information security standard set out by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), which specifies the requirements for establishing, implementing, maintaining and continually improving platforms and processes (otherwise known as the ISMS). The standard also sets out requirements for the assessment and treatment of information security risks.
GDPR exists to ensure that businesses like Cronofy have a legal basis for processing Personal Data. The recommended action to do so is simply to ask users for their consent. This consent must be specific and verifiable. This means that a written record of consent must be kept and tied to specific users. It also means that this consent can be withdrawn at any time and businesses then have to delete the PII from their records. Consent also has to be unambiguous and clearly explain what the user agrees to. This means that, for example, pre-checked consent boxes on forms aren't accepted.
EU regulation also clearly defines the rights of the data subjects, the persons whose data is held by businesses. EU citizens have the right to ask for information on how their data is processed, used, and stored. They can also request their data to be handled in a specific fashion. For example, they might not want it hosted outside of the EU. Whatever the reasons, they have the right to request their data to be corrected, amended, or even deleted. They also have the right to access that data and check what personal data is hosted by the company they use. This means that the data processors need to be clear on how they process data – including the different third party services they might be using – and be ready to support user requests in a timely manner.
As a business dealing with sensitive calendar data on behalf of our users protecting this data is paramount. Our data protection team – which includes senior representatives of our Security, Architecture, and Technical team – are continually reviewing our processes in order to ensure that all user data is protected and encrypted.
We have data centers in both the US and Europe, so our clients – no matter where they are – can choose the location that works best for them and their users. We apply GDPR standards to all our data, not just EU data.
We’ve also taken additional actions for GDPR, which you can consult our Terms of Service and End User Terms of Service documents for more details.
The data we host isn’t limited to calendar data. We also use data for marketing purposes. This can range from basic product updates to recurring newsletters.
When clients and prospects entrust us with their Personally Identifiable Information, we ensure that they are clear on how we will be using their data – such as their email address – going forward.
When you use Cronofy, you’re sharing potentially sensitive information with us. It’s our responsibility to make sure that we protect that data, and we take that responsibility very seriously. That’s why information security will always be a first-class concern for us.
Whenever we’re building or developing any aspect of our service, Security is a key consideration. We understand that our customers care deeply about the security of data, and it’s something we feel equally strongly about.
We want our customers to know that they can trust us to process and handle their calendar and event data – always securely and to the highest standards.
The ISO27001 standard, as well as the other standards achieved by Cronofy, serves to demonstrate the fact that we have a world-class Information Security management system in place and ensure confidence in the way we handle all your data.
Achieving certifications is important - however we don't stop there. Cronofy is constantly evaluating developments and updates to standards, and continually updating policies and processes, to ensure we are as secure, and compliant as possible.
We make sure you keep control of your calendar and that it's private to you and those you'd like to share your availability with. Security is at the core of what we do and we have the best practices to ensure that privacy is never compromised.
If you don’t yet have a contract in place with us that includes the necessary Data Processing Agreement (DPA), or if you have any questions about our approach to the GDPR, we’re happy to help.Get in touch