Join us at Elevate✨ Our virtual conference hits screens Dec 14thJoin us at Elevate conference✨ Tune in Dec 14thRegister now

What can we help you with?

Security & IT: Outlook Integration


At, security is a top priority. We want to make sure you're confident when you build out your workflow with us. This article will answer questions about the security and IT implementation of the Outlook Integration.


The basics

Who is the developer for the Outlook Integration?

The developer of the Outlook Integration is


The integration is between and Microsoft. Which environment does the integration run in?
The integration runs on servers. We get webhooks from Microsoft, perform logic on our end, and then make API calls to either fetch data from Microsoft or send emails or perform an action on such as creating an item or adding an update (depending on the integration).



What does use for authentication?

We use OAuth 2.0 protocol for authentication. Through OAuth 2.0, users can authorize specific scopes that the integration requires. After the user selects specific scopes, there is a handshake between Microsoft and servers to ensure that the transaction is secure.

The authorization results in Microsoft giving us an access token that we can use to make API calls on behalf of the authenticated user. We can only make API calls that are within the scope that the user authorized. Using API calls, can only access information that the user who initiated the authorization is permitted to do or view in the account and that is within the authorized scopes.


Where can I learn more about OAuth 2.0?

You can read more about standard OAuth 2.0 protocol here.


Does have access to my Outlook password?

At no point does have access to the authorizing user's password for Outlook. This information is never shared with us.



Why does require full read and write access permissions?

We understand why you would be concerned about giving any third-party app access to your entire account. That's why we want to provide some insight into why we request full read access permission.

Both read and write permissions are needed for the integration to function.

We ask for read and write permissions for emails. In order to allow outgoing emails, we need to have the ability to send emails. This requires write permissions. In order to receive emails, we need read permissions to pull the information into and display it for you.


How exactly does the integration work with these permissions?

When a user creates an incoming integration, we subscribe to get notified by Outlook of any emails that this user receives. Then, when an email is received, Outlook notifies us and provides us with the message ID but not with the message itself.

In order to proceed with the integration, the first thing we do is use the ID provided by Microsoft to fetch the message via the API. We only fetch messages from relevant inboxes, meaning we do not fetch those that are in inboxes like your Spam, Deleted, or Sent folders. Once we have the message, we proceed to run the integration and check the conditions you chose when setting up the integration. Based on those conditions, we either create an item or an update from the email. 


What is the extent of the access given to with full read and write permissions? Is every email in the inbox read by

Given permission, can only read messages within the inbox of the user who authorized the integration, and will only do so in one of two situations:

  1. The first situation is when the connection is first made. At that time, will fetch the last email received in your Outlook inbox to make sure the connection was made to a valid inbox. The intent is to check whether or not can successfully fetch an email. Nothing is done with the email and the email is not saved anywhere.
  2. The second situation is described in the answer to the previous question in this section. When a user sets up an integration for incoming emails and authorizes access, fetches emails from Microsoft when Microsoft sends a notification.


The integration is between and Microsoft. Is data accessed by any third parties?

No third party has access to data through this integration.


What security protocols are in place?

Oauth2 Protocol assures that we have a secure way to authorize and obtain an access token for the user who set up and authorized the integration. Microsoft also requires to send a secret random string. This is extra assurance for both Microsoft and that the requests that are made are from a trusted host. The token is saved in our secrets manager in AWS and is not accessible in any other way.


How can I set permissions limiting who has the ability to create an integration?

To set permissions limiting who can create integrations, visit our "How to set up account permissions" article.


Data storage

How does the integration operate in terms of the transfer of data to and from and Outlook?

The integration communicates solely through the API; makes API calls to Microsoft Graph and receives notifications from Microsoft via our API.


How does the data storage work?

We store the access token in a secrets management tool called Vault. The authentication data (access token) that the tool stores is encrypted. The access token can only be accessed by requests for this specific user made from within our server.


Do "backups" exist?

No, we do not have a separate backup database for the vault authentication data.


How long does O365 related data persist inside

There are various types of data related to the O365 application that persist:

  • One-time check to ensure the connection is valid. This is a check done upon the creation of the connection (authentication) just to make sure that the Outlook email is valid. One message is fetched at random from the API to test whether we receive a valid response or an error. This message is not read or saved anywhere.
  • Auth data (access token, refresh token, display name). This is the data used to access the API on behalf of the user. We get this data from Microsoft after completing the Oauth2 protocol if the user indeed authorized to access the API on their behalf. This data is stored in Vault, a secrets manager tool, and persists there unless the user requests to delete it. The authentication data expires after a short time and must be constantly refreshed to ensure the data and access are still valid. In addition, the user can always revoke the connection in their Microsoft account. See the last section of this article for more details on revoking the connection. When the connection is revoked, the authentication data that is saved with will no longer work as it will no longer be valid for accessing the API on the behalf of the user. This invalidation happens as a precaution by Microsoft in various other cases, such as password change, force logout, added MFA, etc.
  • Any integration-related data. Any data that is involved in the integration, such as an email body or subject that the individual using the integration chooses to use when activating an integration recipe, is saved as data in their board in whatever way they choose to add it and will be saved in the databases for the corresponding board elements (i.e. item name, updates section, etc.) with until the information is deleted.


Revoking access

How do I revoke's access to my Outlook account?

If at any point you want to revoke's access to Outlook, you can do so. To revoke access, go to Outlook and review the third-party apps that have been granted access to your account. If you revoke's access, the token has saved will no longer work. From that point forward, will not be able to make API calls on your behalf. If tries to make a request after you revoke access, the request will fail because will no longer have a valid token.





If you have any questions, please reach out to our team right here. We’re available 24/7 and happy to help.