Syncory connects your calendars without you giving up control. We rely on proven encryption, certified infrastructure and the principle of data minimization — so your schedule stays private. Here is, in detail, how we do it.
Three principles drive every technical decision at Syncory.
We process only what synchronization truly requires. Event content like titles, descriptions or attendees is not stored permanently — only the technical links that identify two events as “the same".
Data is encrypted in transit (TLS) and at rest (AES-256-GCM for sensitive tokens). Even someone with database access would see ciphertext only — never your access keys.
Access runs through OAuth — we never see your passwords. You can revoke any connection at your provider or in Syncory at any time, and delete your account entirely.
When you connect a calendar, we never enter your password and never see it. Everything runs through the official, secure OAuth flow of the respective provider.
You are redirected directly to Google, Microsoft or Apple and sign in there — on the provider’s servers, not ours.
You see exactly which permissions Syncory requests. We ask only for calendar access — no access to email, files or contacts.
Instead of a password, Syncory receives a revocable access token. It is scoped to the calendar and can be withdrawn at any time.
The token is encrypted immediately and never stored in plain text — it is used solely to synchronize your calendars.
Important: Syncory never receives your login credentials. You can revoke access with a single click at any time in your calendar provider’s security settings.
Access tokens are the most sensitive data Syncory holds. That is why they are encrypted with AES-256-GCM before they ever reach the database.
ya29.a0Ad…Tk7Qpz9Renc:v1:9f3a2b…:7b2c4e…:e1d4c8a9f0…Syncory builds on established cloud providers audited to the highest industry standards. Their certifications directly benefit your security.
The Syncory app runs on Vercel with automatic HTTPS, DDoS protection and a global edge network.
Your data lives in a PostgreSQL database on Supabase with Row-Level Security, stored in the EU region.
The database infrastructure runs on Amazon Web Services — data centers with decades of established security standards.
The certifications listed are held and demonstrated by the respective providers (Vercel, Supabase, Amazon Web Services). They describe the infrastructure Syncory builds upon.
Protection does not end at token encryption. From browser to database, every layer is safeguarded.
Every connection runs over HTTPS/TLS. Data between your browser, Syncory and the calendar providers is transmitted encrypted.
PostgreSQL Row-Level Security enforces at the database level that each user can only ever see their own data — technically enforced, not just in code.
Stored data is encrypted at the infrastructure level; sensitive tokens are additionally encrypted at the application level with AES-256-GCM.
Services and keys receive only the minimum rights needed. Administrative access is tightly limited and separately protected.
Syncory is built so that as little sensitive information as possible is collected in the first place. That is the most effective privacy protection.
Security also means you hold authority over your data at every moment.
Disconnect any calendar in Syncory or directly in your provider’s account settings. The token becomes invalid immediately.
Delete your account and the associated data entirely. All synchronizations end with it.
Enable anonymization per sync — only “Busy" appears in the target calendar, without title, location or attendees. Ideal when private and work calendars should stay separate.
Within the EEA you are entitled to access, rectification, erasure and portability. A single message to us is enough.
Secure software is not built once — it is continuously maintained.
All secrets — API keys, encryption keys, database credentials — live exclusively in protected environment variables, never in source code.
Webhooks and API endpoints are protected by signatures or secret tokens so that only legitimate requests are processed.
We keep frameworks and libraries current to close known vulnerabilities promptly.
Every sync runs with locks against double execution and accesses only the data of its specific rule.
No. Connections run exclusively through OAuth 2.0. You sign in directly with the provider; Syncory only receives a revocable access token — never your credentials.
They are encrypted with AES-256-GCM before reaching the database. The key lives separately from the database in a protected environment variable — the database holds ciphertext only.
Disconnect in Syncory or remove Syncory’s permission in your calendar provider’s security settings. The token becomes invalid immediately.
In a PostgreSQL database on Supabase, stored in the EU region on AWS infrastructure. The application itself runs on Vercel.
Event content like titles, descriptions or attendees is not stored permanently beyond the processing required for a sync. With anonymization per sync, titles and details are additionally replaced by “Busy".
Yes. Message our team and we’ll provide the data we hold about you in a common, machine-readable format. Within the EEA this is part of your right to data portability.
No. We do not sell data, do not run ads on it and do not use it to train machine-learning models.
The application runs behind Vercel’s global edge network, which provides automatic DDoS protection and load balancing. Suspicious traffic is filtered before it ever reaches the application.
We rely on centralized logs, monitoring and automated alerts from our infrastructure providers. Anomalies are prioritized by severity and escalated internally so we can respond quickly.
Yes. Automated vulnerability and dependency scans run continuously during development and in production.
The database is backed up automatically and regularly. Combined with infrastructure-as-code, the service can be restored quickly and with minimal downtime if needed.
We deliberately work only with established providers certified to recognized standards. Before and during a partnership we look at reputation, certifications, incident history and security policies.
If, despite all measures, a breach of your data protection occurs, we promptly notify affected users in line with GDPR.
Connect your calendars with a service that considers privacy from the very first line of code.