Skip to content
Independently verified · Quarterly re-audit
EU VETTED

Cronofy

VERIFIED
Calendar booking · United Kingdom
Founded 2013 · cronofy.com ↗

Nottingham UK developer-API-first calendar / scheduling platform (Cronofy, founded 2013), ISO 27001 + SOC 2; Wise / GoCardless / Indeed customers.

In short

Cronofy, in the Calendar booking category, offers EU hosting with United Kingdom as its hosting location, but a US parent or sub-processor leaves material CLOUD Act exposure.

Assessment notes

Cronofy (Nottingham, UK; founded 2013 by Adam Bird and Garry Shutler) is a developer-API-first scheduling-automation platform with ISO 27001 + SOC 2 + GDPR + HIPAA attested and 180,000+ companies on the platform handling 1B+ events; flagship customers Wise, GoCardless, Criteo, Teamtailor, Indeed, Squarespace. UK post-Brexit jurisdiction (other ownership tier) with an EU adequacy decision keeping transfers SCC-free. Three procurement-relevant gaps: (1) public reporting indicates the company has been acquired (acquirer not directly disclosed at audit); (2) ~60% of revenue is US-based, suggesting an AWS-EU + AWS-US dual-region backend that the directory''s strict CLOUD Act stance flags as material exposure for at-rest customer data; (3) Cronofy does not publish a publicly accessible DPA; a data-processing agreement is available only on request via compliance@cronofy.com. Signal mix: ISO 27001 + SOC 2 + GDPR + HIPAA certified, EU adequacy for cross-border transfers, but no public DPA, undisclosed post-acquisition ownership, and material CLOUD Act flag.

CLOUD ACT
OWNERSHIP
SUB-PROCS
not disclosed
Verified signals
Jurisdiction
  • EU / adequacy hosting
  • EU / adequacy operator
  • No US CLOUD Act exposure
Transparency
  • Public DPA
  • Sub-processors disclosed
  • Open-source clients
  • Third-party certification
JUMP TO
OVERVIEW

About Cronofy

Cronofy is a Nottingham-headquartered British developer-API-first calendar and scheduling-automation platform, founded in 2013 by Adam Bird (CEO) and Garry Shutler (CTO). The product is positioned for two audiences: SaaS product builders who need to integrate scheduling features (calendar availability, multi-person + multi-room coordination, video-conferencing integration) into their own applications via a unified API; and enterprise process-automation teams who need to coordinate scheduling across HR / sales / recruiting workflows. The flagship customer roster (Wise, GoCardless, Criteo, Teamtailor, Indeed, Squarespace) is unusually high-quality for a 29-employee API company, with 180,000+ end-companies on the platform handling 1B+ events.

Compliance posture is enterprise-grade: ISO 27001, SOC 2, GDPR-aligned, HIPAA-aligned, the standard stack required to serve the regulated-industry portion of the customer base. UK post-Brexit jurisdiction places Cronofy in the directory's other ownership tier; the UK holds an EU adequacy decision so cross-border EU↔GB transfers require no SCCs. Two procurement-relevant gaps weaken the EU signal picture: public reporting indicates Cronofy has been acquired (the acquirer is not directly disclosed at audit and the operating brand persists in the market), and approximately 60% of Cronofy's revenue is US-based, which strongly suggests an AWS-EU + AWS-US dual-region backend that the directory's strict-ownership CLOUD Act stance treats as material exposure for at-rest customer data. A public DPA is not available; the data-processing agreement must be requested directly.

Pricing is API-tier-based with per-event usage scaling; specific EUR tier figures were not captured at audit. Best fit: product builders integrating scheduling into B2B SaaS (HR-tech, recruiting, sales, customer-success), where Cronofy's ISO 27001 + SOC 2 + HIPAA stack and stable client roster reduce procurement friction. UK + EU customers should request the DPA, the underlying hosting region map, and post-acquisition ownership disclosure directly before signing.

SUB-PROCESSORS

Sub-processor map · not disclosed

Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
CERTIFICATIONS

Frameworks & certifications

ISO/IEC 27001
ACTIVE
SOC 2
ACTIVE
Informational · US framework
FEATURES

Capability matrix

White-label Yes
Calendar sync Yes
Round-robin / team Yes
Group bookings Yes
Video integration Yes
Automated reminders Yes
Free tier No
INTEGRATION & ACCESS
REST API Yes
SSO (SAML / OIDC) Yes
COMPLIANCE & GOVERNANCE
Audit log Yes
Self-host / on-prem option No
PRICING

Pricing & tiers

PAID
Custom pricing

Contact vendor for tier or volume pricing.

View pricing page ↗
PUBLIC DOCUMENTS

Public documents

Vendor does not publish a public DPA. Without a publicly accessible Data Processing Addendum, small EU customers cannot self-serve the processor agreement. This is recorded as no public DPA (see How we assess).
Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
  • Data Processing Addendum (DPA)
    — missing
    missing
  • Sub-processors list
    — missing
    missing
  • Terms of Service
    www.cronofy.com/legal…
    Open ↗
ALTERNATIVES

Alternatives in this category

Cal.com
United States · Founded 2021
US-LINKED

US-incorporated open-source Calendly alternative (Cal.com Inc, SF) founded by EU developers; production code moving closed-source in 2026.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
DIRECT
Doodle
Switzerland · Founded 2007
EU-BASED

Swiss group-scheduling pioneer (Doodle AG, Zurich, 2007), owned by TX Group (SIX-listed Swiss media holding); SOC 2 + GDPR + HIPAA.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MINOR
Reservio
Czechia · Founded 2012
EU-BASED

Brno-based Czech booking platform (Reservio s.r.o., ABUGO Group), 500k+ businesses, freemium with branded customer apps.

Public DPA Sub-processors Open source
FROM
CLOUD ACT
MINOR