MS SharePoint/OneDrive Security Overview

This article provides a security overview of the SharePoint/OneDrive integration with Showell

1. Introduction

Improve your content management workflow with Showell's SharePoint/OneDrive integration. This allows you to seamlessly sync assets to Showell, saving you time and enhancing content governance.

You can also customize your syncing process with validation and filtering options based on metadata. Sync metadata such as keywords, categories, and product types, and create custom Showell search criteria based on this information.

Ensure secure content access in Showell by granting authorization based on roles or teams. Support for multiple languages and translations is also available to cater to your global audience.

The SharePoint/OneDrive integration with Showell is designed with security as a fundamental aspect, utilizing OAuth 2.0 for secure authorization, employing strong authentication, encryption, and data handling practices. While this overview provides a comprehensive look at the security measures in place, further details can be obtained through direct contact with Showell support.

We take Technical and Organizational Measures (TOM). These include data minimization, purpose limitation, accuracy, retention time, and integrity and confidentiality to protect personal data. Compliance is ensured through strict access controls, regular security training for personnel, and stringent cloud service security standards.

More information:

• Showell's commitment to security
• Technical and Organizational Measures (TOM) for the Protection of Personal data
• Microsoft 365 Integrations: Setup Guide

 

---

2. Authentication and Authorization

Authentication between Showell and SharePoint/OneDrive is managed through OAuth 2.0, ensuring secure and streamlined access.

During the authorization process, Showell requests full access to the files that the authenticated user has access to on SharePoint/OneDrive. This allows Showell to securely sync and exchange data on behalf of the user. The obtained tokens (both access and refresh tokens) are encrypted to ensure security. These OAuth tokens enable our backend to retrieve data as the authenticated user, with limitations to prevent unauthorized actions after the initial authorization is completed.

 

---

3. Data Encryption

Data security is a top priority, and the integration uses robust encryption methods to protect data both in transit and at rest.

Data transmitted between Showell and SharePoint/OneDrive is secured using HTTPS, ensuring encrypted traffic to prevent interception. Data is encrypted using AES-256 encryption, a standard that meets industry guidelines for securing confidential information.

Encryption keys are managed according to Showell’s Encryption Key Management policy, ensuring they are periodically reviewed and upgraded as necessary.

Our server infrastructure is hosted on AWS in Europe, ensuring compliance with European data protection standards.

 

---

4. Data Handling and Privacy

The integration between Showell and SharePoint/OneDrive involves specific data handling practices to ensure privacy and compliance:

• By authorizing the connection between Showell and SharePoint/OneDrive, you, as the end user, allow the Showell server to access and read SharePoint/OneDrive data on your behalf.
• Showell does not handle any personal data

Compliance with privacy regulations such as GDPR, CCPA, and ISO 27001 is maintained. Users can exercise their data subject rights (access, rectification, deletion) by contacting Showell support.

Data minimization is practiced, processing only the minimum amount of data required for service functionality.

 

---

5. Tracking and Logging

Showell does not collect data from SharePoint/OneDrive. It only gathers tracking information within the Showell App to monitor usage and improve service quality. 

Showell servers are authorized to access and sync SharePoint/OneDrive data (See point 4). Tracking information is stored within Showell's infrastructure and is accessible to authorized personnel only. This information is protected through encryption and access control measures to ensure it remains secure.

Error messages are logged with Sentry.io, helping to identify and address issues promptly without collecting personal data.

For more information on Share Analytics: analyze your shared content

 

---

6. Security Measures

Additional security measures are in place to safeguard the integration:

Regular Security Audits and Penetration Testing: Conducted in compliance with ISO 27001 standards, including regular monitoring and logging to check the effectiveness of procedures and controls. Important logs are reviewed monthly, and violations are reviewed within one business day.

Secure Development Practices: Adhered to throughout the development lifecycle.
Certifications and Standards: Compliance with standards such as ISO 27001 to ensure robust security practices.

 

---

7. Incident Response

In the event of a security breach, Showell has a comprehensive incident response plan:

• Identification: The incident is detected, reported, and verified by the Security Response Team (SRT).
• Assessment: The SRT examines the incident, logs details, evaluates risks, and categorizes the incident type.
• Response: The SRT acts to control the incident, secures evidence, and reports to law enforcement if necessary. Post-incident analysis is conducted to prevent future occurrences.

The SRT, composed of the CTO, CISO, senior management, customer support, IT, and Product Development team members, is responsible for investigating and responding to incidents. The team ensures compliance with relevant laws and conducts post-incident reviews to implement remedial actions.

 

---

8. Contact Information

If you have any questions or concerns about this security overview or the handling of your information, please contact your Showell contact person or Showell Support.