Product · July 7, 2026Calemio

Calemio Security and Data Privacy: How Your Data Stays Safe

How Calemio protects your data: two-layer AES-256 encryption, TLS 1.3, zero-knowledge architecture, KVKK and GDPR compliance by default, and a DPA on request.

Calemio Security and Data Privacy: How Your Data Stays Safe

Stop for a second and think about what's actually in your appointment book. Names. Phone numbers. Who showed up, who didn't. Sometimes a client's treatment history. Sometimes the single most private note someone has ever told you. Now imagine that book gets lost, stolen, or ends up in the wrong hands. What happens?

That question is the whole reason data security exists. And for most business owners, it's also the most tedious, most-put-off topic on the list. "Nothing's going to happen," people tell themselves, right up until something does.

When we built Calemio, we treated security not as a feature bolted on later, but as the foundation itself. In this article we'll keep the technical language as plain as we can and walk through how your data is protected, where you stand with KVKK and GDPR, and what all of that actually buys you in your day-to-day work.

The short version

Calemio protects your data with two-layer AES-256 encryption and TLS 1.3. Thanks to a zero-knowledge architecture, not even the Calemio team can read your notes. It's compliant with KVKK and GDPR by default, signs a Data Processing Agreement (DPA) on request, and your data always belongs to you, exportable whenever you want.

Encryption: Your Data Is Locked, at Rest and in Transit

Your data can be exposed in two very different places. One is on the server, while it's sitting still ("at rest"). The other is between your device and the server, while it's traveling ("in transit"). Calemio locks both, separately.

Your data at rest is protected by two-layer AES-256 encryption. AES-256 is the same standard banks and government agencies rely on, considered practically unbreakable today. The "two-layer" part means this: your data doesn't sit behind a single lock, but behind two nested ones. Getting through the first isn't enough.

While data moves between your device and our servers, TLS 1.3 takes over. That's the most current secure communication protocol on the internet. So when you open an appointment or pull up a client card, that information flows encrypted, in a form nobody along the way can read.

The upshot is simple: your data is never exposed while it rests, and never open while it travels.

Zero-Knowledge Architecture: Not Even Calemio Can Read It

This is the point most software skips, and the one we care about most. In many apps your data is encrypted, but the key that unlocks it sits with the provider. Which means, in theory, the company itself could open and read your notes whenever it wanted.

Calemio doesn't work that way. We use a zero-knowledge architecture. Here's what that means: the key that decrypts your notes lives only on your device, not on our servers. So the Calemio team, including our most senior engineer, cannot read your private notes. Not "we promise not to," but technically cannot.

What zero-knowledge means in practice

When you write a sensitive note about a client, that note is encrypted on your device and stored that way. Because the key stays with you, even someone who somehow reached our servers would see nothing but an unreadable pile of ciphertext. The meaning of the data is yours alone.

That makes a real difference for businesses handling sensitive information, health, legal, or advisory work in particular. Because trust isn't built by saying "believe us." It's built by making the alternative technically impossible.

KVKK and GDPR: Not a Setting You Switch On Later

In Turkey, anyone working with personal data is bound by the Personal Data Protection Law (KVKK). If you do business in Europe or process the data of EU residents, GDPR draws the same lines. And when sensitive categories like health data are involved, the rules get stricter still.

Calemio is compliant with both frameworks by default. You don't have to hunt through settings to turn compliance on; it comes that way out of the box. Our encryption, access controls, and data-retention practices were built to these standards from the start.

For anyone running at an enterprise scale, or working in an audited industry, there's one more step. On request, we sign a Data Processing Agreement (DPA). That agreement puts the boundaries of how we process your data in writing, and makes them binding. In multi-location setups this guarantee matters even more; we touch on the data-isolation side of it in the piece on multi-branch management.

For anyone who wants to be audit-ready

If your accountant, legal advisor, or a client asks about your data security, you can request a DPA. Because compliance is a default rather than a setting, questions like these get a lot easier to answer with confidence.

Your Data Belongs to You, It's Not Held Hostage

Some software tries to keep you inside by keeping your data inside. Even when you want to leave, getting your records out becomes a struggle, and that's no accident.

We stand for the exact opposite. Your client records, appointment history, and notes in Calemio belong to you. You can export them any time you want. Decide tomorrow to try a different system, and your data comes with you. This is one of the invisible but most important parts of security: real control over your data should sit with you.

What Does This Security Actually Buy You?

Technical terms aside, what all of this really gives you at the end of the day is a simple feeling: peace of mind.

A paper book gets left on a desk, misplaced, coffee spilled across it. An Excel file gets emailed to the wrong person, or walks off on a stolen USB stick. In Calemio your client data sits in an encrypted, backed-up system with controlled access. If you run several locations, one account's data never leaks into another; each workspace stays isolated along the KVKK line.

And most importantly, when a client asks "is my data safe?", you can say yes without hesitating. Because that answer no longer rests on your word, it rests on the architecture of the system.

Want the bigger picture of Calemio? Start with what Calemio is, and find answers to anything else on the frequently asked questions page.

In Short

Security isn't a line item you consider after the fact in a good scheduling tool, it's the foundation itself. Calemio encrypts your data with two-layer AES-256 while it rests, and with TLS 1.3 while it travels. Thanks to a zero-knowledge architecture, you can be sure that not even we can read your notes. KVKK and GDPR compliance comes by default, a DPA gets signed on request, and your data always stays yours.

You focus on your work; keeping your data safe is ours. You can start a free trial, no credit card needed.

Frequently Asked Questions

What encryption does Calemio actually use on my data?

Two kinds, in two different places. While your data sits on the server, it's protected by two-layer AES-256 encryption, the same standard banks and government agencies rely on and one considered practically unbreakable today. While it travels between your device and our servers, TLS 1.3 takes over, so the information flows in a form nobody along the way can read.

Can anyone at Calemio read my private notes?

No, and not because we promise not to. We use a zero-knowledge architecture, which means the key that decrypts your notes lives only on your device, never on our servers. Nobody here, including our most senior engineer, can open them. It's a property of the architecture, not a policy.

Do I have to switch GDPR compliance on somewhere in the settings?

No. Calemio is compliant with both KVKK and GDPR by default, straight out of the box. Our encryption, access controls, and data-retention practices were built to those standards from the start, so there's no compliance toggle for you to hunt down and enable.

Can I get a Data Processing Agreement for my business?

Yes, we sign a DPA on request. It puts the boundaries of how we process your data in writing and makes them binding. If you run at enterprise scale or work in an audited industry, it's what lets you answer your accountant, your legal advisor, or a client with confidence.

If I move to another system tomorrow, can I take my records with me?

Yes. Your client records, appointment history, and notes in Calemio belong to you, and you can export them any time you want. Decide to try something else and your data comes with you. Real control over your data sitting with you is one of the invisible but most important parts of security.

With several locations, can one branch's data end up in another?

No. If you run several locations, one account's data never leaks into another; each workspace stays isolated along the KVKK line. In multi-location setups the DPA guarantee matters even more, because the limits on how we process your data are then spelled out in writing.

Related articles

Share this article
Mio

Try Calemio for free

Encrypted, compliant and simple. Built for independent therapists and clinics.

Start free