Hero
At a glance
| Hetk does | Hetk does not |
|---|---|
| Sync events between Microsoft 365 and Google, iCloud, or another M365 | Sync Teams meeting join links |
| Bi-directional or one-way | Sync attachments |
| Real-time push via Microsoft Graph subscriptions (≤10s typical) | Sync reminders / alarms |
Honour Sensitivity (normal / personal / private / confidential) | Sync event categories or custom properties |
| Preserve all-day events, recurrence, attendees | Sync attendee RSVP / response status (read-only) |
Free / busy via ShowAs (free, tentative, busy, oof, workingelsewhere) | Sync per-event color (calendar color is preserved) |
| Mark synced events as “Busy” with title and details stripped | Support sovereign clouds (GCC, GCC High, DoD, 21Vianet) |
| Sign DPAs on request | Install organisation-wide via Microsoft 365 admin centre |
How sync works with Microsoft 365
OAuth flow
- Authorization Code Flow with PKCE.
- Tenant endpoint:
common(multi-tenant; per-user delegated consent). - Scope requested:
Calendars.ReadWriteplusopenid email profile offline_access. - No admin consent required. No tenant-wide install. No application (app-only) permissions are requested.
- Refresh tokens stored encrypted at rest; access tokens are short-lived.
What Hetk reads and writes
- Reads: the user’s calendar list and event data within the configured sync window.
- Writes: events into a target calendar that the user explicitly chose during sync setup. Hetk never writes to a calendar the user hasn’t selected as a sync target.
- Does not access: mail, files, contacts, OneDrive, Teams chats, or any non-calendar Graph resource.
Webhooks and latency
- Real-time delivery via Microsoft Graph change notifications (push subscriptions).
- Subscription lifetime: Microsoft caps at 3 days; Hetk creates 2-day subscriptions and renews them automatically 1 day before expiry.
- Validation: Hetk verifies a signed
clientStatetoken on every notification. - End-to-end propagation: typically under 10 seconds.
- Fallback: if a delta link expires (Graph returns HTTP 410), Hetk performs a full re-sync of the affected calendar.
Recipes
Microsoft 365 + Google (Workspace or personal)
Two Microsoft 365 accounts (e.g. work + personal)
Microsoft 365 + Apple iCloud
For Microsoft 365 administrators
| Concern | How Hetk handles it |
|---|---|
| Permission model | Delegated permissions only. Per-user OAuth consent. No application / app-only permissions requested. |
| Tenant install | Not supported and not requested. Each user authenticates independently against the common endpoint. |
| Admin consent | Not required for the requested scopes under default Microsoft 365 settings. Admin consent flow is supported if your tenant requires it. |
| Conditional Access | Honoured at sign-in (Hetk uses standard Microsoft Identity Platform endpoints). Device compliance, MFA, named-location policies all apply. |
| Publisher Verification | |
| Token storage | Refresh tokens encrypted at rest in Azure SQL with TDE. Access tokens not persisted longer than necessary. |
| Data residency | Azure App Service and Azure SQL, North Europe region. See /security/ for full detail. |
| Sovereign clouds | Not supported. GCC, GCC High, DoD, and 21Vianet (China) are explicitly out of scope. |
| Revocation | Users revoke access via https://myapps.microsoft.com; admins can revoke from Entra Enterprise Applications. |
| Logs and audit | Standard Entra sign-in logs. Hetk does not push custom audit events into customer tenants. |
Privacy controls
“Mark as Private” mapping
When a sync relationship is configured to mark synced events as private, Hetk writes to the target as follows:
| Field | Source value | Target value (M365) |
|---|---|---|
subject | “Q3 strategy review with Acme Corp” | “Busy” |
body | (any) | (cleared) |
location | (any) | (cleared) |
attendees | (any) | (cleared) |
sensitivity | normal / personal / private / confidential | private |
showAs | (preserved unless overridden) | (preserved unless overridden) |
Source sensitivity preservation
Without “Mark as Private”, source Sensitivity is preserved through sync:
normal→normalpersonal→privateprivate→privateconfidential→confidential
Fields synced and not synced
Synced
- Title (
subject), description (body.content), location (location.displayName). - Start / end with timezone (
start.dateTime,start.timeZone,end.dateTime,end.timeZone). - All-day flag (
isAllDay). - Organizer email (
organizer.emailAddress.address) — read; target shows the sync identity. - Attendee email list (
attendees[].emailAddress.address) — RSVP responses read but not preserved. - Free / busy (
showAs). - Sensitivity (
sensitivity). - iCalUID (
iCalUId). - Recurring events: series masters expanded server-side to individual instances within the sync window (typically 3 months back, 12 months forward).
Not synced
- Reminders / alarms.
- Attachments.
- Conference data (Teams, Zoom, Webex join links and dial-in info).
- Categories and custom (
extension) properties. - Per-event color (
categoriescolors, calendar color is preserved at the calendar level). - Attendee RSVP responses (accept / decline / tentative).
Pricing
FAQ
Does Hetk request admin consent in my tenant?
What scopes does Hetk request?
Does Hetk support GCC, GCC High, or DoD?
Does Hetk sync Teams meeting join links?
Does Hetk sync shared or delegated calendars?
How does Hetk handle resource and room calendars?
How long are subscriptions live before they need to renew?
How does Hetk interact with Conditional Access?
How can a user or admin revoke Hetk’s access?
Where is data stored?
For organisation security reviewers
For organisation security reviews, email [email protected]. Hetk will sign your DPA on request. Full security documentation: /security/.