Calendar API scope and permissions

Angie Kwan

Aug 31, 2023 1:45 PM

Which permissions are given for Google and Outlook Calendar?

Epoch creates calendar events and sends invitations to its users. Epoch (via the admin-level users) have full control of these events and can edit them at any time but it has no knowledge or control of any other events in a user’s calendar.

Which data elements are exchanged between Google or Outlook Calendar and Epoch?

  • Work email address
  • First name
  • Last name

Will any sensitive data elements be processed?

  • Auth tokens
  • The calendar.calendarlist is a sensitive scope. It allows Epoch to view the list of the user’s subscribed calendars (though not the events inside the calendars), and the ability to subscribe to accessible calendars. We solely use this scope to handle behavior when a user deletes or unsubscribes from the calendar.

How does Epoch integrate with Google and Outlook Calendar? 

Below is optional if the employee user wants to subscribe to a separate Epoch calendar. 

  • Epoch’s integration solely adds events to users' calendars when they respond to an event from Slack or the web app. Events are controlled by admin-level users at a customer's company.
  • Users can also add the Epoch integration to their calendar via an OAuth flow.
  • The integration adds an Epoch calendar to their list of calendars. Events that the user created on Epoch will be posted on this calendar automatically and Epoch will manage any updates.

What are the details on the permissions to Google and Outlook Calendar?


Epoch requires two permission scopes:

  1. https://www.googleapis.com/auth/calendar.app.created
  2. https://www.googleapis.com/auth/calendar.calendarlist

The calendar.app.created scope gives Epoch the ability to create and manage the user’s Epoch calendar. The calendar.calendarlist scope gives Epoch the ability to see the list of subscribed calendars. Epoch uses this to detect if the Epoch calendar has been deleted or unsubscribed so that the integration can be removed on the Epoch backend.

How will the data elements be processed (encryption methods)?

The data is processed through the Google Calendar API (HTTPS).

How will data elements be stored? If data is stored, what is the retention policy?

Data elements are stored in a Postgres database on Heroku.

Epoch keeps all data until a customer requests to remove it from the database or they are no longer Epoch's customers. Removal of data is either completely deleted from our database or anonymized.

How is access control managed for the integration?

Admin level users at the customer's company control which employees have access to Epoch. Employees (users) can also turn on and off the Google or Outlook Calendar integration if they wish.

How many users and admins?

There is no restriction on the number of users and admins.

Want access to a beta feature?

Get in touch with our customer experience team. We'll reach out with next steps.

Contact us