From 352a0f810c5a6df96cf9c4c42cd64349a3f22c37 Mon Sep 17 00:00:00 2001
From: "mintlify[bot]" <109931778+mintlify[bot]@users.noreply.github.com>
Date: Tue, 14 Oct 2025 04:40:36 +0000
Subject: [PATCH 1/3] Documentation edits made through Mintlify web editor
---
mint.json | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/mint.json b/mint.json
index 4a940d8..38b737e 100644
--- a/mint.json
+++ b/mint.json
@@ -229,6 +229,12 @@
"iconType": "solid",
"pages": ["privacy-and-compliance/google-calendar-privacy"]
},
+ {
+ "group": "Security",
+ "icon": "shield-halved",
+ "iconType": "solid",
+ "pages": ["security/blocklist"]
+ },
{
"group": "User Roles",
"icon": "user-check",
From a8b92b8e557bb526a80ce0448dcdbbfac9734c21 Mon Sep 17 00:00:00 2001
From: "mintlify[bot]" <109931778+mintlify[bot]@users.noreply.github.com>
Date: Tue, 14 Oct 2025 04:54:26 +0000
Subject: [PATCH 2/3] Documentation edits made through Mintlify web editor
---
security/blocklist.mdx | 128 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 128 insertions(+)
create mode 100644 security/blocklist.mdx
diff --git a/security/blocklist.mdx b/security/blocklist.mdx
new file mode 100644
index 0000000..b58e1d5
--- /dev/null
+++ b/security/blocklist.mdx
@@ -0,0 +1,128 @@
+---
+title: "Blocklist"
+---
+
+The **Blocklist** helps Organization Admins stop unwanted bookings made with suspicious emails or domains. Organization members can **report** bookings they believe are spam. Reported bookings are **flagged** and **auto-cancelled** (including all future occurrences for recurring events).\
+Admins then review these reports at [/organizations/privacy](https://app.cal.com/settings/organizations/privacy) and decide to **Ignore** or **Block** the email/domain. Admins can also **add blocklist entries directly** without a prior report.
+
+---
+
+## What happens when a booking is reported
+
+1. The booking is marked **Reported**.
+2. The booking (and any **future recurrences**) is **automatically cancelled**.
+3. The report appears in **Privacy & Security → Spam Blocklist** for admin review.
+
+
+ Past occurrences in a recurring series are not retroactively cancelled.
+
+
+---
+
+## Reviewing reports (Privacy & Security)
+
+Go to `/organizations/privacy` →**Blocklist** .
+
+For each report you’ll see:
+
+- **Booker email**
+- **Who reported it** and **when**
+- **Linked booking** (event, host, time)
+- **Actions**: **Ignore** or **Block**
+
+### Actions
+
+- **Ignore**: Closes the report. The email/domain isn't added to blocklist
+- **Block** (Email or Domain):
+ - **Email**: Blocks _that exact_ email.
+ - **Domain**: Blocks _all_ addresses at that domain (e.g., `@example.com`).
+
+
+ When **blocked**, **any future booking attempts** across your organization are **silently rejected**. The booker is **not** told they’ve been blocked.
+
+
+---
+
+## Add to blocklist directly (no report required)
+
+From the **Blocklist**:
+
+1. Click **Add to Blocklist**.
+2. Choose **Email** or **Domain**.
+3. Provide the value and (optionally) a description explaining **reason/notes**.
+4. Save.
+
+This immediately activates the block for all users in your organization.
+
+---
+
+## How blocking works (under the hood)
+
+- **Checks run at booking time** against your org’s blocklist.
+- **Silent failure**: We do **not** reveal the block to suspected spammers (prevents evasion and harassment).
+- **PII safe:** We do **not **reveal the host's PII in such cases.
+- **Scope**: Org-wide. A blocked email/domain cannot book **any** user in your org.
+
+---
+
+## Benefits
+
+- **Reduces noise** and protects calendars from spam or harassment.
+- **Prevents recurring spam** by shutting down future attempts automatically.
+- **Protects host privacy & safety** by avoiding explicit “you’re blocked” notices.
+- **Saves time** for admins and hosts; fewer manual cancellations and follow-ups.
+- **Organization-wide coverage** ensures consistent enforcement for all members.
+
+---
+
+## Best practices
+
+- **Prefer domain blocks** for obvious throwaway/spam domains; use **email blocks** for one-off bad actors on otherwise legitimate domains.
+- **Add a note** when blocking (reason, source). It helps future reviewers.
+- **Review regularly**: Clear out resolved reports to keep the queue tidy.
+- **Start narrow, widen later**: If unsure, block the email first; escalate to a domain block if you see a pattern.
+
+---
+
+## Permissions & access
+
+- **Who can report**: Any user who receives a suspicious booking.
+- **Who can review/block**: **Organization Admins** (and Owners).
+- **Where**: `/organizations/privacy` → **Blocklist** .
+
+---
+
+## Unblocking / managing entries
+
+- Navigate to **Blocklist**.
+- Find the entry → **Remove** or **Edit**.
+- Removing an entry **re-enables** booking attempts from that email/domain.
+
+
+ Removing a block does not restore previously cancelled bookings; those must be recreated if needed.
+
+
+---
+
+## FAQs
+
+**Q: Will the booker know they were blocked?**\
+**A:** No. We intentionally keep it silent to prevent abuse escalation and evasion.
+
+**Q: Can I block subdomains only (e.g., `@mail.bad.com but not @good.bad.com)?**\
+**A:** Use a **domain** entry for the exact domain you want blocked. If you need finer control, prefer **email blocks** or add multiple domain entries.
+
+**Q: Do past recurring instances get cancelled when reported?**\
+**A:** We cancel the **reported instance and future occurrences**. Past instances are not retroactively altered.
+
+**Q: Can I import a list of domains?**\
+**A:** Add entries individually today. If you need bulk operations, contact support for recommended workflows.
+
+---
+
+## Quick reference (admin workflow)
+
+1. **Review reports** → **Ignore** or **Block (Email/Domain)**
+2. **Add direct blocks** (no report needed)
+3. **Silent enforcement** across the org for future bookings
+4. **Manage entries** (edit/remove) in the same page
From e57b5e5b409f10d135c4fdf6afaff59d46a44706 Mon Sep 17 00:00:00 2001
From: Syed Ali Shahbaz <52925846+alishaz-polymath@users.noreply.github.com>
Date: Tue, 14 Oct 2025 13:30:51 +0400
Subject: [PATCH 3/3] Update blocklist.mdx
---
security/blocklist.mdx | 31 ++++++++++---------------------
1 file changed, 10 insertions(+), 21 deletions(-)
diff --git a/security/blocklist.mdx b/security/blocklist.mdx
index b58e1d5..bf6716c 100644
--- a/security/blocklist.mdx
+++ b/security/blocklist.mdx
@@ -3,7 +3,7 @@ title: "Blocklist"
---
The **Blocklist** helps Organization Admins stop unwanted bookings made with suspicious emails or domains. Organization members can **report** bookings they believe are spam. Reported bookings are **flagged** and **auto-cancelled** (including all future occurrences for recurring events).\
-Admins then review these reports at [/organizations/privacy](https://app.cal.com/settings/organizations/privacy) and decide to **Ignore** or **Block** the email/domain. Admins can also **add blocklist entries directly** without a prior report.
+Admins then review these reports at [/admin/privacy](https://app.cal.com/settings/admin/privacy) and decide to **Ignore** or **Block** the email/domain. Admins can also **add blocklist entries directly** without a prior report.
---
@@ -11,7 +11,7 @@ Admins then review these reports at [/organizations/privacy](https://app.cal.com
1. The booking is marked **Reported**.
2. The booking (and any **future recurrences**) is **automatically cancelled**.
-3. The report appears in **Privacy & Security → Spam Blocklist** for admin review.
+3. The report appears in **Privacy & Security → Blocklist** for System Admin review.
Past occurrences in a recurring series are not retroactively cancelled.
@@ -21,9 +21,7 @@ Admins then review these reports at [/organizations/privacy](https://app.cal.com
## Reviewing reports (Privacy & Security)
-Go to `/organizations/privacy` →**Blocklist** .
-
-For each report you’ll see:
+For each report the system admins see:
- **Booker email**
- **Who reported it** and **when**
@@ -32,18 +30,18 @@ For each report you’ll see:
### Actions
-- **Ignore**: Closes the report. The email/domain isn't added to blocklist
+- **Ignore**: Closes the report. The email/domain isn't added to the blocklist
- **Block** (Email or Domain):
- **Email**: Blocks _that exact_ email.
- **Domain**: Blocks _all_ addresses at that domain (e.g., `@example.com`).
- When **blocked**, **any future booking attempts** across your organization are **silently rejected**. The booker is **not** told they’ve been blocked.
+ When **blocked**, **any future booking attempts** are **silently rejected**. The booker is **not** told they’ve been blocked.
---
-## Add to blocklist directly (no report required)
+## Add to Organization Blocklist
From the **Blocklist**:
@@ -58,7 +56,7 @@ This immediately activates the block for all users in your organization.
## How blocking works (under the hood)
-- **Checks run at booking time** against your org’s blocklist.
+- **Checks run at booking time** against global blocklist and your org’s blocklist.
- **Silent failure**: We do **not** reveal the block to suspected spammers (prevents evasion and harassment).
- **PII safe:** We do **not **reveal the host's PII in such cases.
- **Scope**: Org-wide. A blocked email/domain cannot book **any** user in your org.
@@ -87,15 +85,15 @@ This immediately activates the block for all users in your organization.
## Permissions & access
- **Who can report**: Any user who receives a suspicious booking.
-- **Who can review/block**: **Organization Admins** (and Owners).
-- **Where**: `/organizations/privacy` → **Blocklist** .
+- **Who can review/block**: **System Admins** (and Owners).
+- **Where**: `/admin/privacy` → **Blocklist** .
---
## Unblocking / managing entries
- Navigate to **Blocklist**.
-- Find the entry → **Remove** or **Edit**.
+- Find the entry → **Remove**.
- Removing an entry **re-enables** booking attempts from that email/domain.
@@ -117,12 +115,3 @@ This immediately activates the block for all users in your organization.
**Q: Can I import a list of domains?**\
**A:** Add entries individually today. If you need bulk operations, contact support for recommended workflows.
-
----
-
-## Quick reference (admin workflow)
-
-1. **Review reports** → **Ignore** or **Block (Email/Domain)**
-2. **Add direct blocks** (no report needed)
-3. **Silent enforcement** across the org for future bookings
-4. **Manage entries** (edit/remove) in the same page