Architecture and Security for MS365 Calendars

Overview

DayBack accesses and displays your MS365 events through the MS365 Calendar API, without storing any event data in its own database. Instead, all event data is managed by MS365, and your event information never passes through DayBack's servers. However, certain application settings are stored on DayBack's servers. This document explains the division of responsibilities between DayBack and MS365, clarifying where different types of information are stored and how MS365 permissions are respected.

This architecture and security model is also applied to DayBack's connections with Salesforce and Athenahealth.

Details

Security review

DayBack has successfully passed the rigorous security review required for all AppExchange apps. For Canvas Apps like DayBack, this review includes testing the security of DayBack's servers, checking for injection vulnerabilities, and examining all traffic between dayback.com and Salesforce.

Where is my event data stored?

Throughout this article, "event" refers to any MS365 Calendar record displayed in DayBack, such as an appointment. These records could originate from any of your MS365 Calendars, from Group Calendars, or from calendars shared with you in MS365.

Events are stored exclusively in MS365 and do not pass through DayBack's servers before being displayed on the calendar. DayBack directly queries MS365 using their Graph API from your web browser. DayBack does not maintain an event database or a shadow table of events on its servers.

Does DayBack respect sharing rules and permissions from MS365?

Yes. Using the Graph API, DayBack operates under the logged-in user's MS365 credentials, ensuring that a DayBack user has the same access to their MS365 calendars as they would in MS365's own calendar. Users can view their own calendars and any calendars shared with them.

DayBack has no ability to expand a user's permissions or access to calendars: a user has no more access to MS365 operations in DayBack than they do in MS365.

What is stored on DayBack's servers?

DayBack stores your calendar settings on its servers. This includes all the information found in the "admin" side of DayBack:

This information includes:

  • Calendar source configuration
  • Admin Settings & Defaults, such as default view, time increment, and start time of your view
  • Status names and resource names
  • Resource folder names and status colors

If you’ve created custom actions in DayBack, the code for those actions is also stored on DayBack's servers.

Additionally, DayBack records the email addresses of users authorized to use DayBack and those who actively use the app. For users designated as DayBack admins, their email addresses are also recorded. The only identifying information stored about users includes their names and email addresses; no passwords or other sensitive personal information are stored.


Example of User Data Stored on DayBack's Servers

Here is an example of the actual data recorded:

{
  "group" : {
    "id" : "sf-org-00D36000000ojIYEAY17381-23517tk"
  },
  "members" : {
    "1459229742595-1900723854" : {
      "account" : "[email protected]",
      "admin" : true,
      "id" : "1459229742595-1900723854",
      "userID" : "sf-005360000015SOJAA221107-29573tk"
    },
    "1459305409187-0976614575" : {
      "account" : "[email protected]",
      "admin" : false,
      "id" : "1459305409187-0976614575",
      "userID" : "sf-005360000015SOUAA2-1931-93222tk"
    },
    "1468520557325-2375843162" : {
      "account" : "[email protected]",
      "admin" : false,
      "id" : "1468520557325-2375843162",
      "userID" : "sf-005360000015SQZAA261098-2231tk"
    }
  },

What about sharing?

The sharing feature in DayBack is designed to publish calendar data to people outside of MS365 or Salesforce. You can disable this feature or restrict it to specific users. Event data is only copied from MS365 and stored on DayBack servers when you manually create a share (a public bookmark). For detailed information on how this process works and what data is published, please refer to the sharing documentation.

Sharing functions like "exporting" your event data: the recipient of the share does not gain access to your MS365 organization or any calendars other than the specific events you’ve shared. Bookmarks that are "shared" with "just me" or "my group" remain within MS365 and do not leave the platform. Only bookmarks set to "public" have their data shared outside of MS365/Salesforce.

Infrastructure

Where are DayBack's servers?

The storage for dayback.com is hosted on a Firebase Cloud Firestore server located in the United States (Learn more about Firebase locations). During DayBack's security review with Salesforce, the review team meticulously examined all traffic between DayBack and the server to ensure it was transmitted securely over WSS (WebSocket Secure).

Our application is hosted on Digital Ocean's servers in their SFO2 location in San Francisco.

Encryption

Data is encrypted at rest and in transit. At rest, data is encrypted with server-side encryption: Firebase manages the cryptographic keys on our behalf using the same hardened key management systems that Google uses for their own encrypted data, including strict key access controls and auditing. Each Firestore object's data and metadata is encrypted under the 256-bit Advanced Encryption Standard, and each encryption key is itself encrypted with a regularly rotated set of master keys. 

In transit, we use Transport Layer Security (TLS).

Datacenter certifications

The Firebase Cloud Firestore services have successfully completed the ISO 27001, ISO 27017 and ISO 27018 evaluation process, along with SOC 1, SOC 2, and SOC 3. Details here.