Connectid Mail Technical Whitepaper
A Secure Mail solution.
Connectid Mail offers you help to comply with the new regulations regarding the requirements to be able to share sensitive data encrypted when shared over mail as part of the General Data Protection Regulation (GDPR). Connectid Mail provides you with a simple way to share sensitive data over email with end-to-end encryption, consent management, One Time Passwords, and full audit log.
What does Connectid Mail provide?
Connectid Mail is an Outlook Add-in to share and request confidential data to/from your connections in a secure manner. It avoids mail attachment which is not a secure way of data sharing. However, you are still doing all the operations from within outlook. It is also giving you options for sending large files (up to 100MB) to overcome the limitation of mail attachment.
It is following state of art security and encryption policy to manage your data and taking proper consent before sharing or receiving customer data.
Connectid Mail architecture
Connectid Mail Plugin
Users of Connectid Mail will have separate Azure blob storage placed in the Western European Region of Microsoft Azure, completely secure and managed by Microsoft.
Accessing the Add-in:
Users will be able to access the application with a valid Office 365 account. The authorization follows the Microsoft OAuth2 process to access any features of the Add-in.
The Backend API and Portal:
The backend API and admin portal are hosted in Azure Cloud. Blob Storage is used to keep the files for a temporary period. Azure SQL is used to keep related information.
A high-level diagram is showing below
How Connectid Mail works
Please refer to the Installation Guide for detailed installation steps.
Start Connectid Mail
The illustration is based on the web version of Connectid Mail
Connectid Mail is activated when starting a new mail and pressing the Connectid Mail icon
Share Data through Connectid Mail
When the Connectid Mail user wants to Share data, press the “Share Data” button. This choice is followed by two options:
- Allow the receiver to view data only or
- Allow the receiver (external user) to download data (this choice will trigger a consent from the receiver (external user), that they acknowledge they become data owner and understand the responsibility.
- The receiver (external user) will be prompted for an OTP before opening the link, to ensure it is ONLY the intended receiver opening the data.
- For additional security, you can also enable multi-factor authentication by sending the OTP to the receiver’s mobile phone.
- The receiver (external user) can ask for permission to download the shared data in View-Only mode. This will trigger a request flow.
- All actions will be logged.
- Data shared with a receiver (external user) will only be stored (and available) for 7 days.
- You can view the file inside the viewer max 30 MB of file. A larger file may not be possible to view directly.
Request Data through Connectid Mail
When the Connectid Mail user wants to Request data from an external user press the “Request Data” button. This choice is followed by one option (all data requests will prompt a consent form with the receiver when providing data stating that data is given freely and can be used according to the company’s policies):
- Name the data that needs to be requested
- Chose the format of data to be requested. Options are:
- Short txt format (I.e. social security number, account number, passport number)
- Long txt format (I.e. Sensitive information about health or other)- no difference in the size of the filed (compared with the short txt format) – however, it is allowed to enter linefeed
- File format request (I,e, Passport image, board member info, other)
- The receiver (external user) will be prompted for an OTP before opening the link, to ensure it is ONLY the intended receiver entering the data.
- All actions will be logged.
- Data shared by the receiver (external user) will only be stored for max 32 days (or less, depending on the company policy, set in the Connectid Mail admin)
In both cases (Share data and Request data), the receiver gets a secure link to upload (or download) the data shared (or received). The transfer of data is following the encryption policy (Transport Layer Security, TLS 1.2) as well as the OTP process to access the link.
Connectid Mail Cloud Infrastructure
Connectid Mail is a Cloud Hosted SaaS Application which is accessible from outlook mail client. The underlying services are hosted on the Microsoft Azure Platform. Files are stored in BLOB storage with an encryption algorithm using the RSA2048 security key.
Connectid Mail is fully maintained and managed by Azure Cloud which has 90+ Compliance certifications including 50 specifics for certain global regions and countries, such as the US, the European Union, Germany, Japan, the United Kingdom, India, and China. The certification includes the CIS Benchmark, ISO 27001, 20000, 22301, 270017, 270018, C5, GDPR, FSA, and more.
Security and Privacy
Connectid Mail has a secure by design approach for network, data, and management. Data inside the application are kept privately and only authorized persons from the organization can view the data.
Access to any data is protected by Microsoft Office 365 Access Control Service.
The security is maintained in different levels of data transactions.
Data encrypted in transit
Connectid Mail is using encryption during transit with asymmetric certificate encryption on both the transport layer (https) and the database connection (different certificates). This is combined with an OTP which is prompted by the user. Encryption in transit is mandatory for Connectid Mail traffic, requires authentication, and is not publicly accessible. The Connectid Mail website portal is encrypted with TLS 1,2 (Transport Layer Security).
Data encryption at rest
Connectid Mail uses ‘always encrypt protocol’ for the data. Connectid Mail provides granular encryption of all data and centralized key management from an Azure key vault. Connectid Mail encryption algorithms operate on block lengths of 2048 bits. All customers’ data are kept in Azure private blob storage.
The Encryption Key (single key) is managed by Azure Key Vault and maintains the highest level or Encryption Key supported by Azure, with an RSA 2048 key size.
Connectid Mail is a scalable application using the features and functionalities of Microsoft Azure. It is flexible to increase its capacity based on resource requirements.
Regions for storage: Current datacentre is in Amsterdam, Netherlands, West Europe Region.
Scale Units: The application can be Scale Up as an on-demand basis when necessary.
Delivery and continuous updates
At Safe Online, we are dedicated to continuously improve Connectid Mail with new improved functionality.
We are constantly monitoring development in regulations relevant to privacy, e.g. GDPR and related regulations in countries both inside and outside the EU to ensure the product is compatible with local policies.
The team of Connectid Mail always keep on eyes on those policies and regulation and make sure the application compatible with those policies and updates.
Changes and feature updates are deployed first in a staging environment and verified by a closed group of users and testers. Only when internal testing and the group of testers has approved changes and features updates, these are published in the production version. Customers are also notified of the upcoming updates.
Compatible Mail solutions
Connectid Mail is an add-in to Microsoft Outlook. Before installation please make sure you are installing the add-in to one of the following Microsoft products:
- Outlook 2013 or later for Windows
- Outlook 2016 or later for Mac
- Outlook on the web for Office 365
Connectid Mail is purchased as an online Outlook Add-in which is compatible both for outlook OWA and Desktop Clients. It requires the below browser version to run from the web:
- Internet Explorer 11, Edge
- Latest versions of Safari
- Latest version of Chrome
- Latest version of Firefox.
- Outlook 2013 or later for Windows
- Outlook 2016 or later for Mac
Connectid Mail Security
Data Retention policy
The data shared with customers are kept only for seven days. All requested customer’s data are kept in Azure private blob for a maximum of 32 days; However, the company can reduce the number of days data are kept as necessary.
After 32 days data are automatically deleted. The following figure shows the running cycles of the delete operation of customer data.
Figure 1: Configured scheduler for deleting data at rest
Figure 2: Delete logs of the number of files deleted for each operation
A Company Admin of Connectid Mail can see the audit log from the administration page to identify which file is deleted and which files are available with creation date and deletion date.
Privacy by design
When you entrust your data and the data of your requesters to Connectid Mail you and your requesters remain the sole owner of this data: you retain the rights, title, and interest in the data you store in Connectid Mail. The data you store in Connectid Mail is “your data and the data of your users.”
It is with this clarity of principle that we ensure that we maintain your privacy and operate our online services with certain key principles:
- We use your data only to provide you with the online services you have paid for, including purposes compatible with providing those services.
- We do not mine your personal data for any purpose.
- If you ever choose to leave the service, you can take your data with you with full fidelity
- We tell you where your data resides, only you have access.
- Access to your data is strictly limited.
In addition, we have privacy controls to allow you to configure exactly who has access to what within your organization. Strict controls and design elements that prevent mingling of your data with that of other organizations using Connectid Mail and from Connectid Mail datacentre staff having access to your data.
Privacy by default
In addition to service-level capabilities, Connectid Mail enables you to collaborate through the use of transparent policies and strong tools while providing the distinct ability to control information sharing.
- Data will be encrypted with an RSA 2048-bit encryption key and only accessible to your company.
- Rights Management in Connectid Mail—Allows administrators to specify access permissions to requests, ongoing work, and audit logs. This helps you prevent sensitive information from being printed, forwarded, or copied by unauthorized people by applying intelligent policies.
- Privacy controls for One Time Passwords — Connectid Mail provides verification functionality that has a number of privacy controls. This can be adjusted by the system admin on the setup page.
Privacy controls for new system users are always set to the highest privacy setting by default. This setting can only be edited by the system admin for security purposes. One example is that a system user by default only has access to their own folder. Shared folder access can only be given by the administrator. Another is that a system user cannot see the data of a requester in the email body, only in the folder option where the sensitive data resides.
Auditing and retention policies
By using Connectid Mail auditing policies, all events will automatically be logged on your users, including Saving, deleting, and editing data. The audit log is enabled as part of an information management policy, administrators can view the audit data. The system administrator can use these reports for internal or external audits.
For business, legal, or regulatory reasons, Connectid Mail retain e-mails sender and receiver, related to the requests.:
Automatic retention policy for requests and sent Items.
The retention period for data collected is 32 days by default. But can be lowered by the company admin. For sent items it is 7 days, After this, only the logs will remain.
Please help find videos here: Watch here.