08 Integration

Hetk + Google Workspace

How Hetk integrates with Google Workspace. Verified Google OAuth app with narrow scopes, EU data residency, and explicit dropped-fields list. For IT admins reviewing per-user OAuth approval requests.

Hero

At a glance

Hetk doesHetk does not
Sync events between Google Workspace and Microsoft 365, iCloud, or another Google accountSync Google Meet join links
Bi-directional or one-waySync attachments
Real-time push via Google events.watch channels (≤10s typical)Sync reminders / notification overrides
Honour visibility (default / public / private / confidential)Sync per-event color (colorId)
Preserve all-day events, recurrence (RRULE), attendeesSync attendee RSVP / response status (read-only)
Free / busy via transparency (busy / free)Sync resource calendars (rooms, equipment, group calendars)
Mark synced events as “Busy” with title and details strippedInstall organisation-wide via Workspace Marketplace
Sign DPAs on requestRequest the broad auth/calendar scope

How sync works with Google Workspace

OAuth flow

  • Authorization Code Flow with PKCE.
  • Verified Google OAuth application.
  • Scopes requested (narrower than most calendar tools — many request the broad auth/calendar scope):
    • https://www.googleapis.com/auth/calendar.calendarlist.readonly — list the user’s calendars.
    • https://www.googleapis.com/auth/calendar.events — read and write events on calendars the user has chosen as a sync source or target.
  • Hetk does not request https://www.googleapis.com/auth/calendar (full read/write to all calendars and settings).
  • Refresh tokens stored encrypted at rest; access tokens are short-lived.

What Hetk reads and writes

  • Reads: the user’s calendar list and event data within the configured sync window.
  • Writes: events into a target calendar that the user explicitly chose during sync setup. Hetk never writes to a calendar the user hasn’t selected as a sync target.
  • Does not access: Gmail, Drive, Contacts, Tasks, or any non-calendar Google API.

Webhooks and latency

  • Real-time delivery via Google Calendar events.watch push channels.
  • Channel lifetime: Google enforces a 7-day maximum. Hetk creates 6-day channels and renews them automatically before expiry.
  • Validation: Hetk verifies the X-Goog-Channel-Token header on every notification.
  • Endpoint: /webhooks/google (signed and verified).
  • End-to-end propagation: typically under 10 seconds.
  • No polling fallback for Google — push is the only path.

Recipes

Google Workspace + personal Google

Google Workspace + Microsoft 365

Google Workspace + Apple iCloud

For Workspace administrators

ConcernHow Hetk handles it
Permission modelPer-user OAuth consent only. No domain-wide delegation. No service account access.
Workspace installNot supported and not requested. Hetk is not listed in the Google Workspace Marketplace.
App verificationHetk is a verified Google OAuth application for the requested scopes.
Scope breadthNarrower than typical calendar-sync tools. Does not request auth/calendar (full access).
Data residencyAzure App Service and Azure SQL, North Europe region. See /security/ for full detail.
Workspace edition coverage
Token storageRefresh tokens encrypted at rest in Azure SQL with TDE. Access tokens not persisted longer than necessary.
Resource calendarsNot supported. Hetk does not sync rooms, equipment, or group calendars.
RevocationUsers revoke access via https://myaccount.google.com/permissions; admins via Workspace OAuth control.
Logs and auditStandard Workspace OAuth logs. Hetk does not push custom audit events into customer Workspace tenants.

Privacy controls

“Mark as Private” mapping

When a sync relationship is configured to mark synced events as private, Hetk writes to the target as follows:

FieldSource valueTarget value (Google)
summary“Q3 strategy review with Acme Corp”“Busy”
description(any)(cleared)
location(any)(cleared)
attendees(any)(cleared)
visibilitydefault / public / private / confidentialprivate
transparency(preserved unless overridden)(preserved unless overridden)

Source visibility preservation

Without “Mark as Private”, source visibility is preserved through sync, including the rarely-used confidential value (not silently downgraded to default).

Fields synced and not synced

Synced

  • Title (summary), description, location.
  • Start / end with timezone, all-day flag.
  • Recurrence (RRULE).
  • Attendee email list (RSVP responses read but not preserved).
  • Visibility (default / public / private / confidential).
  • Transparency (busy / free).
  • iCalUID for recurrence tracking.
  • Status (confirmed / cancelled) — read-only, used for deletion detection.

Not synced

  • Reminders and notification overrides.
  • Attachments.
  • Conference data (Meet, Zoom, Teams join links and dial-in info).
  • Event color (colorId).
  • Organizer identity — read but not written; the synced event shows Hetk’s sync identity as organizer.
  • Attendee RSVP responses (accept / decline / tentative).

Pricing

FAQ

What scopes does Hetk request?

Does Hetk sync shared or delegated calendars?

Does Hetk sync resource calendars (rooms, equipment)?

Does Hetk support Google Workspace for Government or Education?

How long does a webhook channel stay live?

How can a user or admin revoke Hetk’s access?

Where is data stored?

For organisation security reviewers

For organisation security reviews, email [email protected]. Hetk will sign your DPA on request. Full security documentation: /security/.

See also

← All integrations