Enterprise Security Review

Last Modified: July 29, 2025

Summary

Sundial is a Chrome extension that enhances scheduling efficiency in Google Calendar. See how it works here.

This page outlines Sundial’s security and compliance approach for enterprise review. For inquiries, contact support@trysundial.ai.

SOC 2: Type I attested (Aug 2025); Type II review in progress. Live controls status.
Independent Security Testing: Regular third-party penetration testing. Latest certification available here.
Enterprise Integration: Supports SAML 2.0 SSO.
Data Minimization: No passive tracking; only accesses Calendar or Gmail when user-initiated. No event or email content retained.
Data Control: Users and enterprises can delete data anytime via dashboard or by request.

1. Permissions & Data Access
2. Data Security & Storage
3. Authentication & User Identity
4. Application Architecture
5. Compliance & Privacy Considerations
6. Security Governance
7. Business Continuity & Disaster Recovery

1. Permissions & Data Access

1.1 Chrome Permissions

storage: Saves user preferences.
background: Maintains extension functionality without tracking user activity.
activeTab: Temporarily grants permissions for Google Calendar access.
scripting: Injects scripts to enhance scheduling features.

1.2 Host & API Permissions

Host Permissions

calendar.google.com: Reads and modifies Google Calendar upon user request.
mail.google.com: Extracts meeting times from Gmail email content only upon user action.

API Permissions:

Cloud Firestore: Stores user preferences and feature usage.
Calendar API: Manages calendar events upon user request.
OpenAI: Extracts meeting times from Gmail email content upon user action.
OAuth 2.0: Authenticates API calls securely.

2. Data Security & Storage

2.1 Data Collection

User Identifiers: Email address from authentication.
Usage Data: Feature interactions to improve functionality.

2.2 Storage & Encryption

Local Storage: Stores user preferences and temporary UI states to retain user actions during a session.
Cloud Firestore: Stores non-sensitive preferences and usage data.
OAuth Security: Tokens are short-lived and auto-refreshed; not stored.

2.3 Data Processing

Google Calendar Data: Processed only for Bulk Delete Calendar Holds feature; no calendar event details stored.
Gmail Data: User-selected email body content and its sent datetime are processed via a fine-tuned LLM (OpenAI’s GPT-4.1 Mini) only upon user action; no storage or AI training usage.

Email data accessed by Sundial

2.4 Data Residency

Cloud Firestore: Stored in nam5 region; no calendar event details or Gmail email content retained.

2.5 Data Deletion Policy

User Requests: Users can request data deletion via support@trysundial.ai.
Enterprise Deletion Requests: Organizations may request full deletion of their users’ data.

3. Authentication & User Identity

3.1 Authentication Methods

Google OAuth 2.0: Primary authentication method required to use Sundial.
Enterprise SSO: Supports SAML 2.0 for enterprise single sign-on integration.

3.2 Authorization & Access Control

Least Privilege Principle: Access is restricted to necessary actions only.

Scoped API Access:

Google Calendar API: Accessed only when explicitly invoked by the user.
No Background Data Collection: Actions are explicitly user-initiated.

4. Application Architecture

4.1 System Components

Chrome Extension Frontend: Injects scripts into Google Calendar and Gmail only upon explicit user interaction.
Backend Services:
Cloud Firestore: Stores user preferences.
Google Calendar API: Used exclusively for Bulk Delete Calendar Holds.
Fine-tuned LLM (OpenAI’s GPT-4.1 Mini): Processes meeting time extraction from Gmail email content ephemerally.
No Proprietary Backend: Relies on Google Cloud infrastructure.

4.2 Secure Communication

HTTPS/TLS Encryption: All communications use TLS 1.2+.
OAuth Token Security: Tokens are short-lived and not stored.
No Passive Data Interception: No tracking, logging, or collection of any user activity outside of explicit Sundial interactions.

5. Compliance & Privacy Considerations

5.1 Regulatory Compliance

SOC 2: Sundial achieved SOC 2 Type I attestation in August 2025. For a copy of the report, please email support@trysundial.ai. Our SOC 2 Type II review period is currently underway, and you can review the live status of our controls anytime here.
GDPR: Sundial follows data minimization principles. Users retain full control over their data and can request deletion at any time.
CCPA: No user data is sold or shared with third parties.
HIPAA: Sundial does not store or retain any PHI. Email content used to detect meeting times is triggered only by the user. This feature can be disabled entirely by organizations.

5.2 Privacy & Security Certifications

Penetration Testing: Sundial undergoes regular third-party penetration testing. Here is our most recent certification. For enterprise customers needing access to the full report, please email support@trysundial.ai.
Google Chrome Web Store Security Review: Chrome Web Store reviews each new version of Sundial ensuring compliance with their developer program policies.

5.3 Incident Response

Monitoring & Response: Security vulnerabilities are proactively addressed.
User Reporting: Contact support@trysundial.ai for security concerns.
Breach Protocol: Immediate notification and remediation if a breach occurs.

6. Security Governance

6.1 Subprocessors

Sundial uses the following subprocessors to deliver its services. All vendors are reviewed for security and compliance:

Google Cloud Platform – Hosting, storage (Firestore), OAuth token handling, Calendar API (us-central1)
Render – Hosted backend relaying API requests to OpenAI. No data is stored. (Oregon)
OpenAI – User-initiated AI processing of scheduling text (e.g. extracting dates/times) (US distributed)
Netlify – Frontend hosting of the dashboard (us-east-1)
Stripe – Payment processing (US distributed)
Mailgun – Transactional emails (e.g. invites) (US distributed)

For subprocessor-related inquiries or to request notifications of changes, contact support@trysundial.ai.

6.2 Internal Access & Development Controls

Access Reviews: Periodic reviews of system access permissions.
Secure Development Lifecycle (SDLC): All code changes are reviewed prior to deployment.
Employee Device Security: Devices are encrypted and secured with strong authentication.

7. Business Continuity & Disaster Recovery

Service Status: Live uptime and incident history available here.
Data Resiliency: All infrastructure hosted on Google Cloud with built-in redundancy.
Business Continuity: Sundial maintains contingency plans to ensure ongoing service availability.