ShareSimple Technical Whitepaper
ShareSimple helps you comply with new regulations that make you responsible for protecting sensitive data you share and receive by email; for example, the General Data Protection Regulation (GDPR). It is a simple way to share sensitive data by email with end-to-end encryption, consent management, one-time-passwords, and a full audit log.
2. What does ShareSimple provide?
ShareSimple is an Outlook Add-in (formerly known as Connectid Mail) that makes it easy to share and request confidential data to/from anyone in the securely. It lets you share files without using regular email attachments, avoiding the security risks associated with using such attachments for data sharing. ShareSimple provides security features and compliance options you need, right in Outlook. It gives you the option to send large files (up to 100MB) securely, unlike email attachments that limit you to much smaller file sizes.
ShareSimple incorporates state-of-the-art security and encryption policies to protect your data; and it automatically obtains required consent before sharing or receiving customer data.
3. ShareSimple architecture
3.1. ShareSimple Add-in
Users of ShareSimple will have separate Azure blob storage placed in the Western European Region of Microsoft Azure, completely secure and managed by Microsoft.
3.2. Accessing the Add-in
Users will be able to access the add-in with a valid Office 365 or other Microsoft accounts (outlook.com, live.com, hotmail.com). The authorization follows the Microsoft OAuth2 process to access any features of the Add-in.
3.3. The Backend API and Portal
The backend API and admin portal are hosted in Azure Cloud. Blob Storage is used to store files for a temporary period. Azure SQL is used to store related information.
4. How ShareSimple works
4.1. Install ShareSimple
ShareSimple is available as an add-in for Outlook and can be found in the Microsoft AppSource store. For installation details, please refer to our Installation Guide.
4.2. Start ShareSimple
ShareSimple is activated by starting a new message, opening and clicking the ShareSimple icon
4.3. Share data with ShareSimple
When a ShareSimple user wants to Share data, they can click the “Share Data” button:Drag and drop or browse files to add them to the secure folder.
Once a ShareSimple user has added data to share, they have two options:
- Allow the receiver access to view the data only
- Allow the receiver (external user) to download the data.
Allowing downloads will trigger a consent form to open, prompting the receiver (external user), to give consent to become a data owner and acknowledge that they understand the responsibility attached to that.
- The receiver (external user) will be prompted for an OTP before opening the link, to ensure it is ONLY the intended receiver opening the data.
- For additional security, you can also enable multi-factor authentication by sending the OTP to the receiver’s mobile phone.
- The receiver (external user) can ask for permission to download the shared data in View-Only mode. This will trigger a request flow.
- All actions will be logged.
- Data shared with a receiver (external user) will be stored for a customizable retention period (7 days by default).
- You can view the file inside the viewer (max 30 MB). A larger file may not be possible to view directly.
Share data workflow:
4.4. Request Data with ShareSimple
When the ShareSimple user wants to Request data from an external user, they press the “Request Data” button:
They will be prompted to:
- Name the data that needs to be requested
- Chose the format of data to be requested.
- Input box: Short txt format, for, e.g., social security numbers, account numbers, passport numbers, or others.
Text area: Long txt format, for, e.g., sensitive information about health or other. There is no difference in the size of the file allowed compared with the short txt format, however, it allows you to enter linefeed.
Upload file: File format request, for, e.g., passport image, board member info, or other.
- The receiver (external user) will be prompted for an OTP before opening the link, to ensure it is ONLY the intended receiver entering the data.
- All actions will be logged.
- Data shared by the receiver (external user) will only be stored for a max of 32 days (or less, depending on the company policy, set by the ShareSimple admin)
- All data requests will prompt a consent form for the receiver when they provide the data requested, stating that data is given freely and can be used according to the company’s policies.
In both cases (Share data and Request data), the receiver gets a secure link to upload (or download) the data shared (or received). The transfer of data is following the encryption policy (Transport Layer Security, TLS 1.2) as well as the OTP process to access the link.
Request data workflow:
5. TrustedLink (optional feature)
TrustedLink is a private, encrypted folder where customers, colleagues, and others can securely upload confidential documents and person-sensitive data. When added to ShareSimple, it creates a fixed, secure upload point for any personal data shared with or within a company. Like all data shared with ShareSimple, TrustedLink gets consent before uploading data
5.1. Adding TrustedLink to ShareSimple
TrustedLinks are easy to add to a website or to an email signature.
- Admin creates a shareable link to a folder used for collecting and sharing files.
- Admin can share the folder with other members of the organization.
- The TrustedLink feature is an added functionality and an additional charge will be applied. The charge is billed on a monthly basis.
Regulations require you to obtain consent for and keep track of data shared with you. TrustedLink obtains consent automatically, keeps company members informed when data is shared, will only retain data for a max of 32 days and logs all actions to demonstrate compliance.
- TrustedLink obtains consent automatically.
- Each company member of a TrustedLink folder gets a notification when a file is uploaded to that folder.
- The files in the folder will be available for a max of 32 days.
- All actions are logged in case of an audit.
5.3. TrustedLink Security
Data uploaded to TrustedLink is kept secure. Users are authenticated with OTP. Data is encrypted with TLS 1.2 while in transit and stored on Azure private blob with RSA 2048 encryption at rest. TrustedLink workflow:
7. Security and Privacy
ShareSimple has a secure by design approach for network, data, and management. Data inside the application are kept privately and only authorized persons from the organization can view the data.
Access to any data is protected by Microsoft Office 365 Access Control Service.
The security is maintained in different levels of data transactions.
7.1. Data encrypted in transit
ShareSimple uses encryption during transit with asymmetric certificate encryption on both the transport layer (https) and the database connection (different certificates). This is combined with an OTP which is prompted from the user. Encryption in transit is mandatory for ShareSimple traffic, requires authentication and is not publicly accessible. ShareSimple website portal is encrypted with TLS 1,2 (Transport Layer Security).
7.2. Data encryption at rest
ShareSimple uses ‘always encrypt protocol’ for the data. ShareSimple provides granular encryption of all data and centralized key management from an Azure key vault. ShareSimple encryption algorithms operate on block lengths of 2048 bits. All customers' data are kept in Azure private blob storage.
7.3. Encryption key
The Encryption Key (single key) is managed by Azure Key Vault and maintains the highest level of Encryption Key supported by Azure, with an RSA 2048 key size.
8. Virus Scanning
The files for ShareSimple are stored in the BLOB storage in Azure. Those are protected by the security and threat protection system offered by Microsoft. In addition to that, another security layer is incorporated by scanning the file before sending it to BLOB Storage. It is internally using CalmAV server to identify the virus files using the standard definition of virus files of CalmAV. When users try to upload a file then that file is scanned by the virus scanner before saving it to BLOB. If the virus is detected, then it is not added to BLOB and user is notified about that. Users can upload up to 100 MB of a file using the ShareSimple Outlook add-in or through TrustedLink.
9. ShareSimple Azure B2C Integration
As part of the continuous improvement, from version 220.127.116.11 ShareSimple Implemented the integration of the Azure B2C platform to make it more robust and user friendly as well as make it available to a larger group of users.
A single user can use it for his/her personal use as well as a part of the company. It has now extended feature to see where the user belongs and what is the role in different companies.
The invitation process is introduced so that adding members become easier than before and only after confirmation from the user new member is added to a company.
The user of the application will have a better login experience as well as have the option to choose a company to do his operation. On the other hand, the existing restriction of members not being able to join other companies is waived and a company cannot invite consultants, contractual employees to their space to make them become a part of the same system.
ShareSimple is a scalable application using the features and functionalities of Microsoft Azure. It is flexible to increase its capacity based on resource requirements.
- Regions for storage: Current data centre is in Amsterdam, Netherlands, West Europe Region.
- Scale Units: The application can be upscaled on an on-demand basis when necessary.
11. Delivery and continuous updates
At Safe Online, we are dedicated to continuously improve ShareSimple with new improved functionality.
We are constantly monitoring development in regulations relevant for privacy, e.g., GDPR and related regulations in countries both inside and outside the EU to ensure the product is compatible with local policies.
The team of ShareSimple always keep eyes on those policies and regulation and make sure the application compatible with those policies and updates.
Changes and feature updates are deployed first in a staging environment and verified by a closed group of users and testers. Only when internal testing and the group of testers has approved changes and features updates, these are published in the production version. Customers are also notified of the upcoming updates.
12. Compatible Mail solutions
ShareSimple is an add-in to Microsoft Outlook. Before installation, please make sure you are installing the add-in to one of the following Microsoft products:
- Outlook 2013 or later for Windows
- Outlook 2016 or later for Mac
- Outlook on the web for Office 365
ShareSimple is purchased as an online Outlook Add-in which is compatible both for outlook OWA and Desktop Clients. It requires the below browser version to run from the web:
- Internet Explorer 11, Edge
- Latest versions of Safari
- Latest version of Chrome
- Latest version of Firefox
- Outlook 2013 or later for Windows
- Outlook 2016 or later for Mac
13. ShareSimple Security
13.1. Data Retention policy
The data shared with customers are kept only for seven days. All requested customer data are kept in the Azure private blob for a maximum of 32 days. However, the company can reduce the number of days data is kept.
After the data retention period, data is automatically deleted.
Figure 2: Delete logs of the number of files deleted for each operation
A Company Admin of ShareSimple can see the audit log from the administration page to identify which file is deleted and which files are available with creation date and deletion date.
14. Privacy by design
When you entrust your data and the data of your requesters to ShareSimple you and your requesters remain the sole owner of this data: you retain the rights, title, and interest in the data you store in ShareSimple. The data you store in ShareSimple is “your data and the data of your users.”
It is with this clarity of principle that we ensure that we maintain your privacy and operate our online services with certain key principles:
- We use your data only to provide you with the online services you have paid for, including purposes compatible with providing those services.
- We do not mine your personal data for any purpose.
- We tell you where your data resides, only you have access.
- Access to your data is limited to only those you give access to and share with.
In addition, we have privacy controls to allow you to configure exactly who has access to what within your organization. Strict controls and design elements that prevent the mingling of your data with that of other organizations using ShareSimple and from ShareSimple datacentre staff having access to your data.
15. Privacy by default
In addition to service-level capabilities, ShareSimple enables you to collaborate and share data without compromising security and privacy. It is providing the distinct ability to control information sharing.
- Data will be encrypted with an RSA 2048-bit encryption key and only accessible to your company.
- Rights Management in ShareSimple—Allows administrators to specify access permissions to data storage to get the organizational data.
- Privacy controls for One-Time-Passwords — ShareSimple provides verification functionality that has a number of privacy controls. This can be adjusted by the system admin on the setup page.
Privacy controls for new system users are always set to highest privacy setting by default. This setting can only be edited by the system admin for security purposes. One example is that a system user by default only has access to their own folder. Shared folder access can only be given by the administrator. Another is that a system user cannot see the data of a requester in the email body, only in the folder option where the sensitive data resides.
16. Auditing and retention policies
By using ShareSimple auditing policies, all events will automatically be logged on your users, including Saving, deleting, and editing data. The audit log is enabled as part of an information management policy, administrators can view the audit data. The system administrator can use these reports for internal or external audits.
For business, legal, or regulatory reasons, ShareSimple retains e-mails sender and receiver, related to the requests.:
- Automatic retention policy for requests and sent Items.
The retention period for data collected is 32 days by default. But can be lowered by the company admin. For sent items, it is 7 days. After this, only the logs will remain.
Please find more help in our videos: Watch here.