At a glance
| Hetk does | Hetk does not |
|---|---|
| Sync events between iCloud and Google or Microsoft 365 | Receive push notifications from iCloud (CalDAV has none) |
| Bi-directional or one-way | Sync attachments |
Honour iCal CLASS (public / private / confidential) | Sync reminders / VALARM |
| Preserve all-day events, recurrence (RRULE), attendees | Sync attendee RSVP / participation status |
Free / busy via TRANSP (TRANSPARENT / OPAQUE) | Sync per-event color or category tags |
| Mark synced events as “Busy” with title and details stripped | Use your main Apple ID password (app-specific password is required) |
| Detect updates via CTag + RFC 6578 sync-collection | Connect via OAuth (iCloud has no OAuth for calendar data) |
| Sign DPAs on request | Sync iCloud Reminders / Tasks (event calendars only) |
How sync works with iCloud
iCloud has no calendar API of its own, so Hetk connects over CalDAV, the open standard that Apple’s own calendar clients use. You authenticate with an app-specific password rather than OAuth, and because CalDAV has no push notifications, Hetk keeps calendars current by polling.
Authentication
- iCloud calendar access uses the CalDAV standard (a calendar-specific extension of WebDAV).
- iCloud requires an app-specific password for third-party calendar clients. Your normal Apple ID password will not work, and Hetk recommends app-specific passwords as a security best practice — they can be revoked individually without affecting your Apple ID.
- Generate an app-specific password at appleid.apple.com → Sign-In and Security → App-Specific Passwords.
- Hetk stores the app-specific password encrypted at rest in Azure SQL with TDE. It is used only to issue CalDAV requests against
caldav.icloud.com.
What Hetk reads and writes
- Reads: the calendars in your iCloud calendar home, and event data within the configured sync window.
- Writes: events into a target calendar that you explicitly chose during sync setup.
- Filters out: task-only collections (VTODO). Hetk syncs event calendars only.
- Does not access: iCloud Mail, Drive, Photos, Reminders, Notes, or any other iCloud service.
How updates propagate (polling, not push)
CalDAV has no push notifications. Hetk detects iCloud changes via a scheduled poll:
- CTag check — a cheap PROPFIND for the calendar’s collection tag. If unchanged, Hetk does nothing further for that calendar.
- Sync-collection (RFC 6578) — a CalDAV
REPORTreturns the hrefs of changed and deleted events since the last sync token. - Multiget — a CalDAV
REPORTfetches the full iCalendar data for the changed hrefs.
If iCloud rejects a sync token (returns 404 or 410 Gone), Hetk falls back to a full re-sync of that calendar.
Latency: minutes, not seconds. In production, Hetk polls each connected iCloud calendar every five minutes, so a change made in iCloud reaches the other provider within roughly that window.
Recipes
Each of these is a sync relationship between two connected calendars. Because iCloud is polled rather than pushed, the direction of a change affects how fast it lands; see the note on each setup below.
iCloud + Google
Connect your iCloud account (app-specific password) and a Google account, then create a sync relationship between a calendar on each. Changes you make in Google reach iCloud within seconds, since Hetk writes them straight into CalDAV. Changes you make in iCloud reach Google after Hetk’s next poll. For a step-by-step walkthrough, see /blog/sync-icloud-with-google-calendar/.
iCloud + Microsoft 365
Connect your iCloud account (app-specific password) and your Microsoft 365 account and create a sync relationship between a calendar on each. The same asymmetry applies: Microsoft 365 changes land in iCloud quickly, while iCloud changes wait for the next poll. See /integrations/microsoft-365/ for the Microsoft side and /blog/sync-icloud-with-outlook/ for a walkthrough.
iCloud + iCloud (multiple Apple IDs)
Connect two iCloud accounts, each with its own app-specific password, and create a sync relationship between a calendar on each. This is useful if you keep separate work and personal Apple IDs and want commitments visible on both. Both sides are polled, so changes land within best-effort minutes in either direction.
For privacy-conscious users and security reviewers
iCloud has no enterprise admin console, so there is no tenant-level review here. The question is just how Hetk handles the one credential you give it: an app-specific password, revocable at any time, used for nothing but CalDAV calendar traffic.
| Concern | How Hetk handles it |
|---|---|
| Credential type | App-specific password only. Hetk never asks for the main Apple ID password. |
| Credential storage | Encrypted at rest in Azure SQL with TDE. Used only for CalDAV requests to caldav.icloud.com. |
| Revocation | Revoke at appleid.apple.com → App-Specific Passwords. Revocation takes effect immediately. |
| Network endpoints | All CalDAV traffic goes to caldav.icloud.com over HTTPS. |
| Data residency | Azure App Service and Azure SQL, North Europe region. See /security/ for full detail. |
| Regional iCloud variants | Hetk uses the global caldav.icloud.com endpoint. China-region iCloud accounts are not in scope. |
| Push vs poll | iCloud has no push API for CalDAV. Sync is polled — latency is best-effort minutes, not seconds. |
| Optimistic concurrency | Updates use HTTP If-Match with the event ETag; on ETag mismatch, Hetk refetches and retries once. |
Privacy controls
Each direction of a sync has its own privacy setting. You can send full event detail one way and stripped-down busy blocks the other, or mark everything private.
“Mark as Private” mapping
When a sync relationship is configured to mark synced events as private, Hetk writes to the iCloud target as follows:
| Field | Source value | Target value (iCal) |
|---|---|---|
SUMMARY | “Q3 strategy review with Acme Corp” | “Busy” |
DESCRIPTION | (any) | (cleared) |
LOCATION | (any) | (cleared) |
ATTENDEE | (any) | (cleared) |
CLASS | PUBLIC / PRIVATE / CONFIDENTIAL | PRIVATE |
TRANSP | (preserved unless overridden) | (preserved unless overridden) |
Source sensitivity preservation
Without “Mark as Private”, the source CLASS value is preserved (RFC 5545 standard):
PUBLIC(or omitted) →PUBLICPRIVATE→PRIVATECONFIDENTIAL→CONFIDENTIAL
Fields synced and not synced
Synced
- Title (
SUMMARY), description (DESCRIPTION), location (LOCATION). - Start / end with timezone (
DTSTART/DTEND, including TZID). - All-day flag (inferred from value type).
- Organizer email (
ORGANIZER) — read; target shows the sync identity. - Attendee email list (
ATTENDEEmailto URIs). - Recurrence (
RRULE). - Sensitivity (
CLASS). - Free / busy (
TRANSP). - Status (
STATUS: confirmed / tentative / cancelled). - UID and SEQUENCE (incremented on each update per RFC 5545).
- ETag (HTTP header, used for optimistic concurrency).
Not synced
- Reminders / alarms (
VALARM). - Attachments (
ATTACH). - Conference data (Meet, Zoom, Teams join links).
- Categories and custom properties.
- Calendar color (returned by iCloud but not preserved through sync).
- Attendee participation status (
PARTSTAT).
Pricing
Hetk has two plans. Personal ($15/year or $2/month) supports unlimited calendars and up to 3 sync pairs; Professional ($50/year or $6/month) supports unlimited calendars and up to 8 sync pairs, plus priority support. Both cover bi-directional sync and every privacy control described on this page. New accounts start with a 21-day free trial. Current rates are at /pricing/.
FAQ
Why does Hetk need an app-specific password?
iCloud has no OAuth for calendar data, so CalDAV is the only way in, and iCloud requires an app-specific password for third-party CalDAV clients. Your main Apple ID password will not work. App-specific passwords are also safer: you can revoke the one Hetk uses without touching your Apple ID or any other connected app.
Does iCloud sync in real time?
No. CalDAV has no push notifications, so Hetk polls each connected iCloud calendar every five minutes. The direction matters: changes you make in Google or Microsoft 365 reach iCloud quickly, because Hetk writes those out as they happen. Changes that originate in iCloud are picked up on the next poll, so that direction lands within about five minutes.
Does Hetk sync iCloud Reminders or Tasks?
No. Hetk syncs event calendars only. Task-only collections (VTODO) are filtered out and never synced.
Does Hetk sync shared iCloud calendars?
If a shared calendar appears in your iCloud calendar home, you can select it as a sync source or target. A calendar that someone has shared with you but that you have not added to your account is not visible to Hetk.
What happens if I change my Apple ID password?
Changing your Apple ID password revokes every app-specific password, including the one Hetk uses. Sync stops until you generate a new app-specific password and reconnect the iCloud account in Hetk.
How can I revoke Hetk’s access to iCloud?
Go to appleid.apple.com → Sign-In and Security → App-Specific Passwords and revoke the password you created for Hetk. It takes effect immediately; Hetk’s CalDAV requests stop working at once.
Are China-region iCloud accounts supported?
No. Hetk connects through the global caldav.icloud.com endpoint only. iCloud accounts hosted in the China region are not in scope.
Where is data stored?
On Azure App Service and Azure SQL in the North Europe region. Your app-specific password is encrypted at rest, and the database uses Transparent Data Encryption. Full detail is on the /security/ page.
For organisation security reviewers
For organisation security reviews, email security@hetk.io. Hetk will sign your DPA on request. Full security documentation: /security/.