Do you have a team working full time on the security of your service? Taking privacy seriously is necessary, but not sufficient for protecting that most sensitive data.
Yes, security and privacy are the utmost concern for both of us. I want to stress we do not store any personal data, it only hits memory while we tabulate the results, and then we remove the token so we can't access it again. The only thing we store is your email to tie it to that tabulation.
When you say you "remove" the token, does it continue to be valid? If the token accidentally leaks (logs?), or if someone willfully intercepts it, will they have access to the calendar?
Depends on the service. Google allows us to invalidate the token when we're done, rendering it useless, so we do. You'll notice that if you run the stats tool again you'll have to re-authorize it for Google.
Microsoft does not, so it will remain valid. We don't store it or log it anywhere, and the system that retrieves and processes data is not publicly accessible.
I know you have good intentions here, but I hope you are aware that you may unintentionally be storing it somewhere [1]. Not much you can do about it unless you keep actively searching for it everywhere.
[1] I strongly remember reading an article here on HN recently about some security breach stemming from writing production secrets in log files, but I can't find the link :/ If anyone else has it, can you post it?
