Security & Privacy

Your calendar data — uncompromisingly protected

Syncory connects your calendars without you giving up control. We rely on proven encryption, certified infrastructure and the principle of data minimization — so your schedule stays private. Here is, in detail, how we do it.

EU
Your data is stored in the European Union
OAuth 2.0
Connect without a password — revoke anytime
AES-256-GCM
Access tokens stored encrypted
SOC 2 · ISO 27001
Certified cloud infrastructure
Core principles

Security is not a feature — it is the foundation

Three principles drive every technical decision at Syncory.

Data minimization

We process only what synchronization truly requires. Event content like titles, descriptions or attendees is not stored permanently — only the technical links that identify two events as “the same".

Encryption everywhere

Data is encrypted in transit (TLS) and at rest (AES-256-GCM for sensitive tokens). Even someone with database access would see ciphertext only — never your access keys.

You stay in control

Access runs through OAuth — we never see your passwords. You can revoke any connection at your provider or in Syncory at any time, and delete your account entirely.

Connection & authentication

OAuth 2.0: access without your password

When you connect a calendar, we never enter your password and never see it. Everything runs through the official, secure OAuth flow of the respective provider.

1

Sign in at the provider

You are redirected directly to Google, Microsoft or Apple and sign in there — on the provider’s servers, not ours.

2

Consent to minimal scopes

You see exactly which permissions Syncory requests. We ask only for calendar access — no access to email, files or contacts.

3

The provider issues a token

Instead of a password, Syncory receives a revocable access token. It is scoped to the calendar and can be withdrawn at any time.

4

Secure usage

The token is encrypted immediately and never stored in plain text — it is used solely to synchronize your calendars.

Important: Syncory never receives your login credentials. You can revoke access with a single click at any time in your calendar provider’s security settings.

Encryption

Your tokens are encrypted — not just “protected"

Access tokens are the most sensitive data Syncory holds. That is why they are encrypted with AES-256-GCM before they ever reach the database.

  • AES-256-GCM — authenticated encryption that also detects tampering
  • A unique initialization vector per token (96-bit)
  • The key lives separately from the database in a protected environment variable
  • The database holds ciphertext only — never a readable token
Your access token
ya29.a0Ad…Tk7Qpz9R
AES-256-GCM
Stored in the database
enc:v1:9f3a2b…:7b2c4e…:e1d4c8a9f0…
Infrastructure & certifications

Standing on certified data centers

Syncory builds on established cloud providers audited to the highest industry standards. Their certifications directly benefit your security.

Vercel
Application & hosting

The Syncory app runs on Vercel with automatic HTTPS, DDoS protection and a global edge network.

SOC 2 Type IIISO 27001Automatic TLS
Supabase
Database & auth

Your data lives in a PostgreSQL database on Supabase with Row-Level Security, stored in the EU region.

SOC 2 Type IIEU regionEncryption at rest
AWS
Underlying cloud

The database infrastructure runs on Amazon Web Services — data centers with decades of established security standards.

ISO 27001 / 27017 / 27018SOC 1 / 2 / 3Physical security

The certifications listed are held and demonstrated by the respective providers (Vercel, Supabase, Amazon Web Services). They describe the infrastructure Syncory builds upon.

Transport & access

Secure at every layer

Protection does not end at token encryption. From browser to database, every layer is safeguarded.

Encrypted in transit

Every connection runs over HTTPS/TLS. Data between your browser, Syncory and the calendar providers is transmitted encrypted.

Strict access control

PostgreSQL Row-Level Security enforces at the database level that each user can only ever see their own data — technically enforced, not just in code.

Encryption at rest

Stored data is encrypted at the infrastructure level; sensitive tokens are additionally encrypted at the application level with AES-256-GCM.

Least privilege

Services and keys receive only the minimum rights needed. Administrative access is tightly limited and separately protected.

Data minimization

What we don’t store can’t be lost

Syncory is built so that as little sensitive information as possible is collected in the first place. That is the most effective privacy protection.

  • No permanent storage of event content such as titles, descriptions or attendees — beyond the processing required for a sync.
  • With the anonymization option in the sync settings, titles and details are replaced by a neutral “Busy" entry.
  • We never use your calendar data for advertising and we do not sell it.
  • Data from Google APIs is used solely for user-facing features in line with the Google API Services User Data Policy — not to train AI models.
Your control

You decide — anytime

Security also means you hold authority over your data at every moment.

Revoke access

Disconnect any calendar in Syncory or directly in your provider’s account settings. The token becomes invalid immediately.

Delete your account

Delete your account and the associated data entirely. All synchronizations end with it.

Anonymization

Enable anonymization per sync — only “Busy" appears in the target calendar, without title, location or attendees. Ideal when private and work calendars should stay separate.

GDPR rights

Within the EEA you are entitled to access, rectification, erasure and portability. A single message to us is enough.

Operations & development

Security that runs in the background

Secure software is not built once — it is continuously maintained.

Secure key management

All secrets — API keys, encryption keys, database credentials — live exclusively in protected environment variables, never in source code.

Hardened interfaces

Webhooks and API endpoints are protected by signatures or secret tokens so that only legitimate requests are processed.

Up-to-date dependencies

We keep frameworks and libraries current to close known vulnerabilities promptly.

Isolated processing

Every sync runs with locks against double execution and accesses only the data of its specific rule.

FAQ

Security — answered briefly

Can Syncory see my password?

No. Connections run exclusively through OAuth 2.0. You sign in directly with the provider; Syncory only receives a revocable access token — never your credentials.

How are access tokens protected?

They are encrypted with AES-256-GCM before reaching the database. The key lives separately from the database in a protected environment variable — the database holds ciphertext only.

How do I revoke access?

Disconnect in Syncory or remove Syncory’s permission in your calendar provider’s security settings. The token becomes invalid immediately.

Where is my data stored?

In a PostgreSQL database on Supabase, stored in the EU region on AWS infrastructure. The application itself runs on Vercel.

Is my event content stored?

Event content like titles, descriptions or attendees is not stored permanently beyond the processing required for a sync. With anonymization per sync, titles and details are additionally replaced by “Busy".

Can I export my data?

Yes. Message our team and we’ll provide the data we hold about you in a common, machine-readable format. Within the EEA this is part of your right to data portability.

Do you use my data for ads or AI training?

No. We do not sell data, do not run ads on it and do not use it to train machine-learning models.

How do you protect against DDoS attacks?

The application runs behind Vercel’s global edge network, which provides automatic DDoS protection and load balancing. Suspicious traffic is filtered before it ever reaches the application.

How are security incidents detected and handled?

We rely on centralized logs, monitoring and automated alerts from our infrastructure providers. Anomalies are prioritized by severity and escalated internally so we can respond quickly.

Do you run regular security checks?

Yes. Automated vulnerability and dependency scans run continuously during development and in production.

What is your backup and recovery plan?

The database is backed up automatically and regularly. Combined with infrastructure-as-code, the service can be restored quickly and with minimal downtime if needed.

How do you choose your third-party providers?

We deliberately work only with established providers certified to recognized standards. Before and during a partnership we look at reputation, certifications, incident history and security policies.

How do you notify about data breaches?

If, despite all measures, a breach of your data protection occurs, we promptly notify affected users in line with GDPR.

Ready to sync securely?

Connect your calendars with a service that considers privacy from the very first line of code.