Cal.com
Security

Compliance

Access compliance documents, certifications, and data protection agreements

Data Protection Agreement

SOC 2 Type II report

ISO 27001 Certification

Penetration test report

Security

As a company that has achieved ISO 27001, SOC 2 Type II, CCPA, GDPR, and HIPAA certifications, we understand the critical importance of information security in today's digital landscape. We take pride in the rigorous security protocols we have in place and are dedicated to maintaining the highest standards of security excellence.

How has this been accomplished?

We utilize security and compliance automation platforms to ensure that we remain continuously compliant and adhere to the relevant security protocols. We have a centralized platform that automates the assessment and monitoring of various security controls and procedures.

What happens if something becomes out of compliance?

If something were to fall out of compliance, our compliance automation platform would detect the issue and alert us immediately. This allows us to take prompt action to address the problem and get back into compliance quickly.

Procedures & controls

Secure policies & procedures

Written information security policies and procedures ensure that the company has documented and tested controls in place.

Vulnerability & penetration testing

Cal.com undergoes an external penetration test of our web application annually by a third party to identify any security vulnerabilities.

Data encryption

Encryption of sensitive data helps to ensure that the data cannot be accessed or read by unauthorized parties.

Multi-factor authentication

Multi-factor authentication helps to prevent unauthorized access to the company's systems.

Secure development lifecycle

All changes to our codebase are protected with branch protection and required peer reviews.

Monitoring

Ongoing monitoring of system access logs and network traffic helps to detect and respond to potential security incidents.

Employee training & awareness

Regular training and awareness programs for employees help to ensure that they are equipped to handle customer data securely.

Access controls & background checks

Background checks are performed on all new hires. We review application access quarterly.

Third-party audits and assessments

Regular third-party audits provide an independent validation of the effectiveness of the company's security controls.

Intrusion detection

Cal.com utilizes intrusion detection systems to continuously monitor our systems for potential threats.

Vulnerability disclosure

At Cal.com, we consider the security of our systems a top priority. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible.

Out of scope vulnerabilities:

  • Clickjacking
  • Cross-Site Request Forgery (CSRF)
  • Attacks requiring MITM or physical access
  • Any activity that could lead to DoS
  • Content spoofing and text injection
  • SPF Email spoofing
  • Missing DNSSEC, CAA, CSP headers

What to do and what not to do

  • Do not run automated scanners on our infrastructure
  • Do not take advantage of the vulnerability
  • Do not reveal the problem to others until resolved
  • Do not use physical security attacks or social engineering

How to report a vulnerability

You can report vulnerabilities here: https://github.com/calcom/cal.com/security/advisories

Report a vulnerability