Outlook Add-in Security Overview

1. Introduction

The Showell Add-in for Microsoft Outlook lets users access their Showell workspace directly from Outlook when composing a new email, reply, or forward. Communication between Outlook and the add-in is handled through Microsoft's Office.js APIs; communication between the add-in and the embedded Showell App uses the browser's postMessage channel.

The Outlook Add-in does not sync Outlook data into Showell, does not read your inbox, and does not act on Outlook items on your behalf. It exists purely to make sharing Showell content into an outgoing email faster. When a user clicks "Share" inside the add-in, a Showell Share link (and optional styled button) is inserted into the email body they're already writing.

The Add-in is designed with security as a fundamental aspect, employing strong authentication, encryption, and data-handling practices.

More information:

• Showell for Microsoft Outlook Privacy Policy
• Showell's commitment to security
• Showell Add-in for Microsoft Outlook

2. Authentication and Authorization

Users authenticate using their existing Showell credentials, including SSO. When sign-in is needed, the Showell login flow opens in a dedicated dialog window provided by Microsoft's Office.js API. Once login completes, a short-lived, one-shot session identifier is passed back to the add-in and the user is signed in for the session.

The Add-in does not request any Microsoft / Office 365 OAuth scopes on top of those Outlook already grants to all add-ins. It doesn't read or modify mailbox contents. The Showell button is only available in the compose surface (new email, reply, forward), in line with the Office Add-in manifest.

3. Data Encryption

Data security is a top priority, and the integration uses robust encryption methods to protect data both in transit and at rest.

Data transmitted between Outlook and Showell is secured using HTTPS, ensuring encrypted traffic to prevent interception. At rest, data within Showell's physical database is encrypted using AES-256 encryption, a standard that meets industry guidelines for securing confidential information. Encryption keys are managed according to Showell's Encryption Key Management policy, ensuring they are periodically reviewed and upgraded as necessary.

Our server infrastructure is hosted on AWS in Europe, ensuring compliance with European data protection standards.

4. Data Handling and Privacy

The Outlook Add-in is intentionally minimal in what it touches:

• The Add-in does not read or store any data from your mailbox, your contacts, or your calendar. It cannot access existing email content.
• The only Outlook-side data the Add-in reads is the email address of the currently signed-in Outlook user, made available by Microsoft's Office.js. This is used solely to keep the Add-in's Showell session aligned with the right user.
• When the user inserts a Showell Share link into an email, that share is stored on Showell's servers in the same way as any other Showell Share. The Outlook Add-in itself does not retain a separate copy.
• A more complete description of what data may be processed is published in the Showell for Microsoft Outlook Privacy Policy.
• Compliance with privacy regulations such as GDPR, CCPA, and ISO 27001 is maintained. Users can exercise their data subject rights (access, rectification, deletion) by contacting Showell support.
• We retain user data only as long as necessary to provide the service and comply with legal requirements.

5. Tracking and Logging

Showell does not collect personal data from Outlook. It only gathers tracking information within the Showell App itself to monitor usage and improve service quality.

Errors from the Showell App are logged with Sentry.io, helping us identify and address issues promptly without collecting personal data.

6. Security Measures

Additional security measures are in place to safeguard the integration:

• Regular Security Audits and Penetration Testing: Conducted in compliance with ISO 27001 standards, including regular monitoring and logging to check the effectiveness of procedures and controls. Important logs are reviewed monthly, and violations are reviewed within one business day.
• Secure Development Practices: Adhered to throughout the development lifecycle.
• Certifications and Standards: Compliance with standards such as ISO 27001 to ensure robust security practices.
• Microsoft AppSource certification: The Showell Add-in is distributed through Microsoft AppSource and is subject to Microsoft's own validation process.

7. Incident Response

In the event of a security breach, Showell has a comprehensive incident response plan:

• Identification: The incident is detected, reported, and verified by the Security Response Team (SRT).
• Assessment: The SRT examines the incident, logs details, evaluates risks, and categorizes the incident type.
• Response: The SRT acts to control the incident, secures evidence, and reports to law enforcement if necessary. Post-incident analysis is conducted to prevent future occurrences.

The SRT, composed of the CTO, CISO, senior management, customer support, IT, and Product Development team members, is responsible for investigating and responding to incidents. The team ensures compliance with relevant laws and conducts post-incident reviews to implement remedial actions.

8. Contact Information

If you have any questions or concerns about this security overview or the handling of your information, please contact your Showell contact person or Showell support.