security-hero-v4
SECURITY & PRIVACY

Maintaining Your Trust Matters to Us

Thousands of users trust Decisions to manage their meetings because we do not process any personal data outside of an organization's Office 365 tenant.

SAFE
SECURITY

We Take Security Seriously

Because Decisions is built into Office 365, users are protected under their company’s Office 365 tenant and existing security policies.
PRIVACY
PRIVACY

We’re Committed to Protecting Your Privacy

We align our practices with regulations including the General Data Protection Regulation (GDPR) and we don’t have to access to the materials you create and share as part of managing meetings with Decisions.
COMPLIANCE
COMPLIANCE

Certifications and Seals of Approval

Decisions is compliant with GDPR and an implementation project for ISO 27001 certification is in progress. These are in addition to the compliance certifications held by Office 365 and Microsoft Azure.  

Frequently Asked Questions

Take a deep dive into the technical details of our security practices; following are answers to the most common questions we get from IT.

Hosting Provider & Data Location

Who is the hosting provider?
Decisions is hosted on the customer’s Office 365 tenant, and Microsoft Azure services are operated by Decisions.

Where is the hosting location?
The Office 365 location is set by the customer. Decisions’ Azure services are hosted in several regions (US, EU) depending on the type of service. All data storage is hosted in Azure EU data centers but may expand into additional GDPR-compliant regions according to the GDPR adequacy.

What type of infrastructure is used?
Decisions uses the customer’s Office 365 tenant and integrates with that through the Microsoft Graph API. Decisions also provides modern, web-based add-ins through Microsoft AppSource for Teams, Outlook and Word. Decisions’ Azure services are operated by Decisions. These services are built using Azure Platform-as-a-Service offerings, such as Azure Functions, Azure App Services, Azure Storage, Azure Cosmos DB and Azure Front Door.

Do you have the architecture diagrams for all layers?
Yes, please refer to technical architecture and overview published here.

Where is the primary data being stored?
To comply with local jurisdiction, privacy and regulation requirements, the primary data is stored in the customer’s Office 365 tenant. Decisions uses Office 365 and their resources — such as SharePoint, Microsoft Planner and OneNote — for storing customer data. In addition, Decisions stores references to this information in our database to extend Office 365 with objects specific to structured meetings, such as meeting agendas, presenters, decisions, etc.

Where is the backup data being stored?
Backups are stored in Azure EU regions. Please refer to the Decisions Data Storage Overview for more information.

What type of virtualization software is used?
There is no virtualization operated by Decisions. This is managed by Microsoft Azure.

What type of network bandwidth is available?
Office 365 bandwidth is managed by the customer. Bandwidth for the Decisions’ Azure services are scaled automatically according to the demand.

What type of scalability is provided for additional computing power?
Decisions ensures scale across our Azure services according to load. This is done through a combination of automatic scale-out due to load and manual performance reviews. Automatic scale-out triggers within minutes.

Data Access, Security, Segregation & Encryption

Is it a dedicated or a shared environment?
Customers have their own dedicated Office 365 tenant. Decisions’ Microsoft Azure services are shared.

If it is a shared environment, how is the data segregated from other shared environments?
All of Decisions’ Azure services require a signed in user to call the API and the tenant ID is automatically identified from the claims in the authentication token. All communication between customer devices and customer’s Office 365 tenant is direct communication and is not routed through any of Decisions’ Azure services. Also note that no user of Decisions will ever get access to data they do not already have access to in their Office 365 tenant, as these permissions are managed by Office 365.

How is security managed in the shared environment?
The customer is in full control of their Office 365 tenant, and Decisions integrates seamlessly with features such as conditional access and Azure information protection, sensitivity labels, etc. Decisions’ Azure services are deployed with limited access to only a few selected employees, all requiring multi-factor authentication. In addition, we have put in place automated deployment pipelines with manual gates for approving a build for production. We are also in the process of implementing ISO 27001, which will be in place the second half of 2020.

Who has access to the infrastructure, hardware, software, data?
No one in Decisions has access to customers’ Office 365 without the customer explicitly giving access. Only select, credentialed employees have access to Decisions’ Azure infrastructure.

What application & data access audit logs are available?
As Decisions is built on top of Office 365, the same audit logs are available to the customers. As the Decisions Azure infrastructure is a shared environment, those logs are only available to selected Decisions employees for review. These logs contain metadata about application usage to support the Decisions team in optimizing the user experience and the availability of Decisions. The Decisions Azure logs also contain infrastructure data related to performance and configuration changes.

How is the primary data encrypted?
Decisions’ Microsoft Azure services such as Storage and Cosmos DB use the built-in encryption features that are part of the platform.

How is the backup data stored?
For Microsoft Azure storage accounts, Decisions operate our own backups. These are replicated to nearby Microsoft Azure data centers as raw data but encrypted at rest. See Microsoft’s page on Cosmos DB backup functionality.

What type of investigative support is provided in cases of breach?
As all customer data is stored at the customer’s Office 365, all existing investigative support features for breaches apply. That said, the Azure logs provide insights in the unlikely event of breaches of our Azure infrastructure. Additionally, note that the reason Decisions uses Microsoft Azure PaaS is because Microsoft Azure handles all the infrastructure security, enabling Decisions to focus on application security.

What options are available to return the data?
As all customer data is stored in the customer’s Office 365 tenant, there is usually no need to export additional metadata from Decisions. If this is still needed, it can be managed on a case–by-case basis. Data in the Decisions database is deleted within 30 days after end of contract. Backed up data will be removed within 60 days.

Regulatory Compliance

What types of regulations are being followed?
Decisions follows GDPR, and an ISO 27001 implementation project is in progress. Office 365 and Microsoft Azure have several certifications of their own.

NERC & NIST compliance?
NERC & NIST compliance do not apply for Decisions.

How often is this audited?
We will be audited according to our ISO 27001 implementation project.

How is this enforced?
It will be enforced according to our ISO 27001 implementation project.

Will audit reports be available on a regular basis?
These will be made available after the initial ISO 27001 certification.

Hosting Facility Security & Compliance

Is the hosting facility SAS 70 II (Statement of Auditing Standards) compliant?
Please refer to https://azure.microsoft.com/en-us/overview/trusted-cloud/compliance for a full set of Azure’s compliance offerings.

How often is this compliance audited?
Please refer to https://azure.microsoft.com/en-us/overview/trusted-cloud/compliance/ for the relevant compliance audit information.

What are each sides' responsibilities in Decisions' and Azure's shared responsibility model?
Decisions is built on top of Office 365, and Decisions’ services are hosted on Microsoft Azure. Decisions is responsible for the Decisions application, while Microsoft is responsible for Office 365 and the Microsoft Azure services and infrastructure.

Business Continuity & Disaster Recovery

What type of business continuity & disaster recovery options are available?
All customer data, such as files, tasks, meetings, etc., is stored in the customer’s Office 365 tenant. Decisions has no responsibility for the disaster recovery of the customer’s Office 365 tenant. If Decisions goes offline, all data is still available through the standard Office 365 services — but without the Decisions App. See the terms of service for estimated repair times: https://www.meetingdecisions.com/terms-of-service

Where are the disaster recovery datacenters locations located?
Decisions is operated out of Microsoft Azure datacenters. Some of our services are already deployed across multiple datacenter locations. All disaster recovery datacenters involved with data storage are located in Europe. 

What type of infrastructure exists to replicate and synchronize data between the primary and disaster recovery datacenters?
Decisions uses the built-in features in Azure Storage for geo-redundant storage and Cosmos DB for backup and replication to secondary locations. See https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy and https://docs.microsoft.com/en-us/azure/cosmos-db/online-backup-and-restore

If the primary environment is down, how quickly can the disaster recovery environment be made active either in the primary or the disaster recovery datacenter?
We don’t operate a secondary standby environment. The repair times mentioned in terms of service apply: https://www.meetingdecisions.com/terms-of-service

Identity Management, Security & Single Sign-On

What type of identity management solution is provided?
Decisions supports single sign-on with the customer’s Microsoft Azure Active Directory. Decisions maintains no separate system for identity management.

Can Decisions be integrated with an existing Identity Management system?
Yes, Azure Active Directory is required.

What type of user store is available? Can this user store be integrated with Active Directory or any other user store database?
Decisions uses Azure Active Directory for user store; so, yes.

What type of user security, authentication and authorization options are available?
All are controlled through Azure Active Directory, such as multi-factor authentication, conditional access and app permissions.