Compliance & Security

Every artifact for your compliance review

This page is for IT, security and compliance teams who review Kalender Sync before rollout. You'll find: DPA under GDPR Art. 28, OAuth scopes per provider, sub-processors with location, encryption + hosting details — and the Microsoft admin-consent link for tenants with strict consent policy.

Request DPA Full privacy policy →

Hosted in
Germany

What your IT needs to know

Four questions — four answers

The recurring reviews tax advisors, consulting firms and enterprise IT open with us — answered up-front.

Hosted in Germany

All databases run at Hetzner Online GmbH in Falkenstein, Saxony. Backups stay in the same data centre. Caddy reverse-proxy with TLS 1.3 and HSTS preload.

Encryption

OAuth tokens (Google, Microsoft) and CalDAV credentials (Apple iCloud, Calendar Suite) are stored authenticated-encrypted with ChaCha20-Poly1305. All connections over TLS 1.3.

Data minimization

We read Free/Busy times and write anonymized busy blockers. Event content, attendee lists and descriptions are neither stored nor transmitted — unless you explicitly enable detail-sync.

Data processing addendum

We provide a signed DPA under GDPR Art. 28 (PDF, pre-filled). DPAs are in place with Brevo, Google (EU-US DPF), Microsoft (EU-US DPF + SCCs) and Stripe.

OAuth scopes

What we request from each provider

Complete list of permissions we ask for, per calendar provider. No mail-read access, no contacts, no files — only calendars and the identity of the signed-in user.

Google Calendar

openid, profile, email

Authentication — who is signed in

calendar.events

Read + write calendar entries (for busy blockers)

calendar.calendarlist.readonly

Fetch the list of available calendars

Incremental consent — users can decline individual scopes.

Microsoft 365 / Outlook

User.Read

Authentication — who is signed in

Calendars.ReadWrite

Read + write calendar entries (for busy blockers)

offline_access

Refresh token so sync continues without re-login

No admin consent needed — except in strict tenants (see below).

Apple iCloud / Calendar Suite (CalDAV)

App-specific password

One app password per connection, separate from the iCloud/KSuite identity

CalDAV REPORT / PROPFIND

Standard CalDAV operations for read + write

No OAuth — app passwords are revocable at any time via Apple ID.

Strict Microsoft tenants

Grant admin consent up-front

If your tenant blocks the standard consent flow for unverified publishers (common in tax advisor, consulting and enterprise tenants), you can grant our scopes tenant-wide as an admin. Your users then don't need to consent individually.

Sign-in as Global Admin required. The link opens Microsoft's own admin-consent page — we don't see or store anything in the process.

Grant tenant admin consent Rather talk? Book a call →

client_id

f656be6d-e0c1-43a4-
a4a8-e1452eaf78f3

Sub-processors

Who sees what

We use a deliberately small set of sub-processors. All have a DPA under GDPR Art. 28 in place with us. Changes get a 30-day notice in the changelog.

Provider	Purpose	Location	Legal basis
Hetzner Online GmbH	Hosting (DB, servers)	Falkenstein, DE	DPA under GDPR Art. 28
Brevo (Sendinblue SAS)	Transactional email + marketing	France, EU	DPA under GDPR Art. 28
Google Ireland Ltd.	Google Calendar API	EU + USA (EU-US DPF)	Google Data Processing Addendum
Microsoft Ireland Operations Ltd.	Microsoft Graph API	EU + USA (EU-US DPF, SCCs)	Microsoft Online Services DPA
Stripe Payments Europe Ltd.	Payment processing (Basic / Business plans)	Ireland, EU	Stripe DPA