At a glance
| Hetk does | Hetk does not |
|---|---|
| Sync events between Google Workspace and Microsoft 365, iCloud, or another Google account | Sync Google Meet join links |
| Bi-directional or one-way | Sync attachments |
Real-time push via Google events.watch channels (≤10s typical) | Sync reminders / notification overrides |
Honour visibility (default / public / private / confidential) | Sync per-event color (colorId) |
| Preserve all-day events, recurrence (RRULE), attendees | Sync attendee RSVP / response status (read-only) |
Free / busy via transparency (busy / free) | Sync resource calendars (rooms, equipment, group calendars) |
| Mark synced events as “Busy” with title and details stripped | Install organisation-wide via Workspace Marketplace |
| Sign DPAs on request | Request the broad auth/calendar scope |
How sync works with Google Workspace
Hetk connects to Google Workspace through the Google Calendar API as a verified OAuth application. A user signs in once, picks which calendars to sync, and Hetk keeps them current from then on.
OAuth flow
- Authorization Code Flow with PKCE.
- Verified Google OAuth application.
- Scopes requested (narrower than most calendar tools — many request the broad
auth/calendarscope):https://www.googleapis.com/auth/calendar.calendarlist.readonly— list the user’s calendars.https://www.googleapis.com/auth/calendar.events— read and write events on calendars the user has chosen as a sync source or target.
- Hetk does not request
https://www.googleapis.com/auth/calendar(full read/write to all calendars and settings). - Refresh tokens stored encrypted at rest; access tokens are short-lived.
In plain terms: the first scope lets Hetk see the names of the user’s calendars so they can choose which to sync; the second lets Hetk read and write events only on the calendars they pick. Hetk never asks for the full auth/calendar scope, which would grant access to every calendar and to account-level settings.
What Hetk reads and writes
- Reads: the user’s calendar list and event data within the configured sync window.
- Writes: events into a target calendar that the user explicitly chose during sync setup. Hetk never writes to a calendar the user hasn’t selected as a sync target.
- Does not access: Gmail, Drive, Contacts, Tasks, or any non-calendar Google API.
Webhooks and latency
- Real-time delivery via Google Calendar
events.watchpush channels. - Channel lifetime: Google enforces a 7-day maximum. Hetk creates 6-day channels and renews them automatically before expiry.
- Validation: Hetk verifies the
X-Goog-Channel-Tokenheader on every notification. - Endpoint:
/webhooks/google(signed and verified). - End-to-end propagation: typically under 10 seconds.
- No polling fallback for Google — push is the only path.
Recipes
Each of these is a sync relationship between two connected calendars. You pick a source, a target, a direction, and the privacy settings; Hetk handles the rest.
Google Workspace + personal Google
Connect your Workspace account and your personal Google account, then create a sync relationship between a calendar on each. Both sides support real-time push, so changes propagate within about ten seconds either way. With Mark as Private turned on, the personal calendar shows up as busy blocks on your work account without exposing event details.
Google Workspace + Microsoft 365
Connect your Workspace account and your Microsoft 365 account and create a sync relationship between a calendar on each. Both providers push in real time, so a change on either side reaches the other within about ten seconds. See /integrations/microsoft-365/ for the Microsoft side, and /blog/sync-google-calendar-with-outlook/ for a step-by-step walkthrough.
Google Workspace + Apple iCloud
Connect your Workspace account and your iCloud account, which connects with an app-specific password rather than OAuth (see /integrations/apple-icloud/). Changes you make in Google reach iCloud quickly, since Hetk writes them out as they happen. Changes that originate in iCloud are picked up on Hetk’s next poll, so that direction is best-effort minutes, not seconds. Step-by-step walkthrough: How to sync iCloud Calendar with Google Calendar.
For Workspace administrators
If one of your users has asked you to approve Hetk, this is what the request grants. Hetk uses per-user OAuth consent with no domain-wide delegation, so it can only reach the calendars that user connects, and only through the two narrow scopes below.
| Concern | How Hetk handles it |
|---|---|
| Permission model | Per-user OAuth consent only. No domain-wide delegation. No service account access. |
| Workspace install | Not supported and not requested. Hetk is not listed in the Google Workspace Marketplace. |
| App verification | Hetk is a verified Google OAuth application for the requested scopes. |
| Scope breadth | Narrower than typical calendar-sync tools. Does not request auth/calendar (full access). |
| Data residency | Azure App Service and Azure SQL, North Europe region. See /security/ for full detail. |
| Workspace edition coverage | Standard and Education editions are supported — the OAuth flow is identical. Workspace for Government (GCC) is not supported. |
| Token storage | Refresh tokens encrypted at rest in Azure SQL with TDE. Access tokens not persisted longer than necessary. |
| Resource calendars | Not supported. Hetk does not sync rooms, equipment, or group calendars. |
| Domain-wide privacy policy | Supported via DNS TXT record at _hetk.<your-domain>. See /integrations/admin-policy/ for setup. |
| Revocation | Users revoke access via https://myaccount.google.com/permissions; admins via Workspace OAuth control. |
| Logs and audit | Standard Workspace OAuth logs. Hetk does not push custom audit events into customer Workspace tenants. |
Privacy controls
Each direction of a sync has its own privacy setting. A user can send full event detail one way and stripped-down busy blocks the other, or mark everything private. Administrators can enforce private sync across a whole domain through a DNS record, described under domain-wide privacy policy.
“Mark as Private” mapping
When a sync relationship is configured to mark synced events as private, Hetk writes to the target as follows:
| Field | Source value | Target value (Google) |
|---|---|---|
summary | “Q3 strategy review with Acme Corp” | “Busy” |
description | (any) | (cleared) |
location | (any) | (cleared) |
attendees | (any) | (cleared) |
visibility | default / public / private / confidential | private |
transparency | (preserved unless overridden) | (preserved unless overridden) |
Source visibility preservation
Without “Mark as Private”, source visibility is preserved through sync, including the rarely-used confidential value (not silently downgraded to default).
Fields synced and not synced
Hetk syncs the parts of an event that say when it is and what it is about.
Synced
- Title (
summary), description, location. - Start / end with timezone, all-day flag.
- Recurrence (RRULE).
- Attendee email list (RSVP responses read but not preserved).
- Visibility (default / public / private / confidential).
- Transparency (busy / free).
- iCalUID for recurrence tracking.
- Status (
confirmed/cancelled) — read-only, used for deletion detection.
Not synced
- Reminders and notification overrides.
- Attachments.
- Conference data (Meet, Zoom, Teams join links and dial-in info).
- Event color (
colorId). - Organizer identity — read but not written; the synced event shows Hetk’s sync identity as organizer.
- Attendee RSVP responses (accept / decline / tentative).
Pricing
Hetk has two plans. Personal ($15/year or $2/month) supports unlimited calendars and up to 3 sync pairs; Professional ($50/year or $6/month) supports unlimited calendars and up to 8 sync pairs, plus priority support. Both cover bi-directional sync and every privacy control described on this page. New accounts start with a 21-day free trial. Current rates are at /pricing/.
FAQ
Does Hetk request admin consent in my Workspace?
No. Hetk uses per-user OAuth consent only — no domain-wide delegation and no service account. If your Workspace is configured to restrict third-party apps by scope or by app, an admin allowlists Hetk’s OAuth client; even then, Hetk’s access stays scoped to the individual user who connected it.
What scopes does Hetk request?
Two: calendar.calendarlist.readonly to list the user’s calendars, and calendar.events to read and write events on the calendars the user picked as a sync source or target. Hetk does not request the broad auth/calendar scope, and it has no access to Gmail, Drive, Contacts, or Tasks.
Does Hetk sync Google Meet join links?
No. Conference data — Meet, Zoom, and Teams join links and dial-in details — is not synced. A synced event keeps its title, time, location, and attendees, but the meeting link is dropped.
Does Hetk sync shared or delegated calendars?
If a shared calendar appears in the user’s own calendar list because they have been granted access to it, the user can select it as a sync source or target. Hetk works only with the calendars Google returns for the signed-in user; it does not use domain-wide delegation to reach other users’ calendars.
Does Hetk sync resource calendars (rooms, equipment)?
No, and it is not on the roadmap. Hetk syncs personal event calendars only — not rooms, equipment, or group calendars.
Does Hetk support Google Workspace for Government or Education?
The OAuth flow is identical for standard and Education editions, so those work the same way as any other Workspace account. Workspace for Government (GCC) is not supported.
How long does a webhook channel stay live?
Google caps events.watch push channels at seven days. Hetk creates six-day channels and renews them automatically before they expire, so real-time delivery continues without a gap.
How can a user or admin revoke Hetk’s access?
A user can revoke Hetk at https://myaccount.google.com/permissions. An admin can revoke it from the Workspace OAuth app controls. Once access is revoked, Hetk’s tokens stop working and sync halts.
Where is data stored?
On Azure App Service and Azure SQL in the North Europe region. OAuth tokens are encrypted at rest, and the database uses Transparent Data Encryption. Full detail is on the /security/ page.
For organisation security reviewers
For organisation security reviews, email security@hetk.io. Hetk will sign your DPA on request. Full security documentation: /security/.