IT Security Documentation

Last Updated: 19.07.2025

This document provides comprehensive information for IT administrators evaluating the security of SimpleBusiness365.

Table of Contents

1. Executive Summary
2. Architecture Overview
3. Microsoft 365 Integration
4. Infrastructure and Hosting
5. Data Security
6. Access Control and Authentication
7. Network Security
8. Development and Operations Security
9. Compliance and Auditing
10. Data Processing and Privacy
11. Third-Party Services
12. Support and Access

Executive Summary

SimpleBusiness365 is a Software as a Service (SaaS) productivity suite that integrates with Microsoft 365, providing tools for email management, CRM, newsletters, websites, and more. Our security architecture is designed with the following principles:

• Data Sovereignty: Organizations can choose their data region (North America, West Europe, or Asia Pacific)
• Minimal Permissions: We request only the minimum Microsoft 365 permissions necessary
• Authentication: Exclusively Microsoft SSO for secure access
• Encryption: All data encrypted in transit and at rest
• Isolation: Complete regional isolation with no cross-region data sharing

Architecture Overview

System Architecture

SimpleBusiness365 consists of:

• SaaS Application: Hosted in Microsoft Azure in your chosen region
• Office Add-ins: Outlook and other Office add-ins served from the same infrastructure
• Marketing Website: Static site hosted on Cloudflare
• Processing: Data processing occurs both client-side and server-side

Data Flow

1. Users authenticate via Microsoft SSO
2. Application acts on behalf of users using delegated Microsoft 365 permissions
3. Data flows between:
   • User’s browser/Office client ↔ SimpleBusiness365 servers
   • User’s browser/Office client ↔ Microsoft Graph API
   • SimpleBusiness365 servers ↔ Microsoft Graph API
   • All communications use HTTPS/TLS encryption

Microsoft 365 Integration

Required Permissions

SimpleBusiness365 uses OAuth 2.0 delegated permissions:

Token Security

• Tokens are stored securely using industry-standard practices
• Tokens are never logged or exposed in debugging
• Refresh tokens are used to maintain access without repeated authentication
• All tokens are scoped to minimum required permissions

Integration Points

• Microsoft Graph API: Primary interface for Microsoft 365 operations
• Office Add-ins: Embedded functionality within Outlook and Office applications
• Authentication: Azure Active Directory for SSO

Infrastructure and Hosting

Azure Services

Our infrastructure leverages Microsoft Azure’s enterprise-grade services:

Regional Deployment

• Three Isolated Regions: North America, West Europe, Asia Pacific
• Complete Isolation: Each region runs identical code with separate credentials
• No Cross-Region Access: Data never leaves the selected region
• Region Selection: Chosen during organization creation and cannot be changed

Network Architecture

• Application APIs are the only public-facing services
• All other services operate within private networks
• Azure Front Door provides edge security and WAF protection
• Global administrative access requires VPN connection

Data Security

Encryption

At Rest:

• Database encryption using Azure SQL Transparent Data Encryption (TDE)
• Storage encryption using Azure Storage Service Encryption
• 256-bit AES encryption for all stored data

In Transit:

• TLS 1.2 minimum for all connections
• Certificate pinning for critical services
• End-to-end encryption for sensitive operations

Access Controls

• Production Access: Limited to CTO and Managing Director only
• VPN Required: Administrative access requires VPN authentication
• Role-Based Access: Principle of least privilege enforced
• MFA Required: Two-factor authentication on all administrative accounts

Secret Management

• All API keys, connection strings, and secrets stored in Azure Key Vault
• Automatic key rotation where supported
• No secrets in source code or configuration files
• Audit logging for all secret access

Access Control and Authentication

User Authentication

• Exclusive Microsoft SSO: No username/password authentication
• Azure AD Integration: Leverages your existing identity provider
• Session Management: Secure session handling with appropriate timeouts
• No Password Storage: We never store or manage user passwords

Authorization

• Organization-based access control
• Multiple administrative users per organization
• Role-based permissions within organizations
• API access controlled via OAuth tokens

Network Security

Web Application Firewall (WAF)

Azure Front Door provides:

• OWASP Top 10 protection
• Custom rule capabilities
• Bot protection
• Rate limiting
• Geographic filtering if required

DDoS Protection

• Azure’s built-in DDoS protection
• Automatic traffic analysis and mitigation
• No service degradation during attacks

API Security

• Rate limiting per organization
• API key authentication where applicable
• Request validation and sanitization
• Comprehensive error handling without information leakage

Development and Operations Security

Development Practices

• Secure coding standards following OWASP guidelines
• Code reviews for all changes
• Dependency management and updates
• Input validation and output encoding

Deployment Process

1. CI/CD Pipeline: Automated testing and deployment
2. Staging Environment: Full testing before production
3. Regional Rollout: Gradual deployment to each region
4. Rollback Capability: Quick reversion if issues detected

Future Security Enhancements

Within the next 12 months:

• Implementation of GitHub Advanced Security (GHAS) for Azure DevOps
• Automated security scanning (SAST, DAST, dependency scanning)

Compliance and Auditing

Audit Logging

• Retention Period: 1 year
• Logged Events:
  • Authentication attempts
  • Administrative actions
  • Data access and modifications
  • API calls
  • Security events

Backup and Recovery

• Point-in-Time Recovery: Available for Azure SQL databases
• Backup Schedule:
  • 4 weekly backups
  • 6 monthly backups
• Geo-Redundant Storage: Automatic replication to paired region
• RTO: 24 hours
• RPO: Less than 1 hour

Data Deletion

• Accounts deleted within 30 days of cancellation
• Data permanently deleted within additional 30 days
• Backups purged of deleted account data during restore operations

Data Processing and Privacy

Data Residency

• Data remains in selected region
• No data transfer between regions
• Compliance with local data protection laws

Multi-Tenancy

• Logical separation using organization identifiers
• No shared data between organizations
• Query-level enforcement of data boundaries

Privacy Commitment

• No sale or sharing of customer data
• Data used only for service delivery
• Compliance with GDPR and global privacy laws
• Separate Privacy Policy and Data Processing Agreement available

Third-Party Services

Service Providers

Vendor Security

• All vendors selected for security compliance
• Standard Contractual Clauses (SCCs) where required
• Regular vendor security assessments

Support and Access

Customer Support

• Support staff access limited to information provided by customers
• No access to production data or Microsoft 365 tokens
• Support provided through secure helpdesk system
• All support interactions logged and auditable

Security Contact

For security concerns or vulnerability reports:
Email: [email protected]

Appendices

A. Required Network Access

SimpleBusiness365 requires HTTPS (port 443) access to:

• *.simplebusiness365.com - Application access
• *.azurefd.net - Azure Front Door CDN
• graph.microsoft.com - Microsoft Graph API
• login.microsoftonline.com - Authentication

B. Compliance Documents

Additional documents available upon request:

• Privacy Policy
• Data Processing Agreement
• Terms of Service