Security Overview Introduction
Keeping MeetingFull customer data safe and secure is a major responsibility and our top priority at MeetingFull. How secure do we need to be? We use MeetingFull internally, which tells you that we protect your data with the same vigilance with which we protect our own.
There’s no better guarantee than that!
Fundamentals
We’ve made two fundamental decisions regarding data security:
- Everything in MeetingFull is hosted on Amazon Web Services (AWS). We have no exceptions to that rule, so there is no data sitting on some server outside the incredible AWS security infrastructure. We leverage Cloudwatch on the AWS platform for deep logging and detailed information about system access and usage. For that reason, we do not focus on providing our own SOC reports and instead depend on the world class, and highest standard, security protocols implemented by AWS.
AWS data centers are certified as ISO 27001, PCI/DSS Service Provider Level 1, and/or SOC II compliance. - We know that password security is a huge topic and something your organization would want to make sure has no backdoors. In order to give you complete confidence in how we manage access, we store no user passwords in the MeetingFull system. All authentication is done using OAuth2 protocols, leveraging Google or Outlook password security, already in use by your company. Your MFA requirements will be reinforced when logging in with OAuth2 protocols. MeetingFull is given a token once the OAuth2 authentication validates that the user entered correct credentials. This allows all passwords to be fully managed by you and comply with your security rules. Below, we have outlined each of the permissions that MeetingFull requests and explained why they are necessary:
- Calendars.Read: This permission allows MeetingFull to read your Outlook calendar events so that they can be displayed in MeetingFull. (Application)
- Calendars.Read.Shared: This permission allows MeetingFull to read shared calendars that you have access to, so that you can see events from those calendars in MeetingFull. (Delegated)
- Calendars.ReadWrite: This permission allows MeetingFull to create, update, and delete calendar events in your Outlook calendar from MeetingFull. (Delegated)
- Calendars.ReadWrite.Shared: This permission allows MeetingFull to create, update, and delete calendar events in shared calendars that you have access to from MeetingFull (required for Delegates and other shared calendar configurations). (Delegated)
- Contacts.Read: This permission allows MeetingFull to read your Outlook contacts so that they can be displayed in MeetingFull. (Delegated and Application)
- Group.Read.All: This permission allows MeetingFull to read data about groups in your AAD so that we can determine if you have access to shared calendars and contacts. (Delegated and Application)
- GroupMember.Read.All: This permission allows MeetingFull to read data about group members in your AAD so that we can determine if you have access to shared calendars and contacts. (Delegated and Application)
- MailboxSettings.Read: This permission allows MeetingFull to read your mailbox settings in Outlook so that we can integrate your Working Hours. (Delegated and Application)
- OrgContact.Read.All: This permission allows MeetingFull to read data about organizational contacts in your AAD so that you can use them to schedule meetings. (Application)
- Tasks.ReadWrite: This permission allows MeetingFull to create, update, and delete tasks in your Outlook tasks from MeetingFull. (Delegated)
- User.Read: This permission allows MeetingFull to read your basic profile information (such as your name and email address) from your Microsoft account so that we can create your MeetingFull account and identify you in our system. (Delegated)
- User.Read.All: This permission allows MeetingFull to read the full profile information of all users in your organization so that we can identify other MeetingFull users in your organization and facilitate scheduling meetings with them. (Application)
We only ask for these permissions to enable the functionality of MeetingFull. We do not use your data for any other purpose, and we take all necessary measures to protect your data and ensure its privacy.
Google Calendar Scopes:
- View and edit events on all your calendars: This scope allows you to read, create, update, and delete events in MeetingFull and have the events sync to your Google calendar. Any update in your Google calendar will reflect in MeetingFull as well.
- View your Calendar settings: This scope allows MeetingFull to view your calendar settings, such as your time zone and working hours, so that your settings are not lost when logging into MeetingFull.
- See, edit, share, and permanently delete all the calendars you can access using Google Calendar: This scope allows MeetingFull to read, create, update, and delete events on any calendar that you have access to, including shared calendars. This ensures that you can manage all of your calendars in one place and stay on top of your schedule.
Google Contacts Scopes:
- See and download your contacts: MeetingFull requires permission to read user contacts so that we can display contact information for meeting attendees and access your contacts to add them as attendees, assign action items, and add your shared calendars.
- See and download contact info automatically saved in your “Other contacts”: This scope allows MeetingFull to read the contacts that are automatically added to your account based on your interactions with Google services, so that you can easily access these contacts as well.
Google Services Scopes:
- View and manage the provisioning of groups on your domain: This scope allows MeetingFull to manage groups on your Google Workspace domain, if applicable, so that you can easily collaborate with others in your organization.
- Basic account info: This scope allows MeetingFull to read basic information about your account, such as your name and email address, so that we can personalize your experience in MeetingFull.
- See your personal info, including any personal info you’ve made publicly available: This scope allows MeetingFull to read your public profile information, such as your profile picture and bio, so that we can personalize your experience in MeetingFull.
- See your primary Google Account email address: This scope allows MeetingFull to read your primary email address, so that we can personalize your experience in MeetingFull.
- Additional access: This scope allows MeetingFull to view and manage your tasks, as well as to read and download your personal phone numbers and your organization’s Google Workspace directory, so that you can manage all of your tasks and contacts in one place.
We only ask for these permissions to enable the functionality of MeetingFull. We do not use your data for any other purpose, and we take all necessary measures to protect your data and ensure its privacy.
Encryption
Encryption is fundamental for data security. Why’s that? If something is encrypted, in the unlikely event that a bad actor were to get their hands on any data, they can’t read the data without an encryption key. Think of it as trying to find Davy Jones’s Locker without Jack Sparrow’s compass. The encryption key is carefully managed separately by AWS, so that the data and the key have a check and balance to make sure one cannot be accessed together with the other. We use both RSA2048 and SHA256 bit encryption keys.
For full transparency, the important detail about encryption is realizing that a system can only encrypt what it has. That means that once an email is sent, like a meeting invitation, the data is now in an inbox somewhere and is no longer a part of the system that sent the email. The nature of how this data is able to be easily forwarded outside of the MeetingFull framework helps add perspective to the type of data MeetingFull is handling. The data in MeetingFull is not intended to include anything that would have PCI implications. With that in mind, encryption still plays a vital role in our security framework.
Encryption at-rest
Encryption at-rest means that all our databases (while hosted on AWS), files, and other content storage have their files encrypted when they’re backed up or otherwise sitting idle. No one can read the encrypted data without an encryption key, so if we were to imagine that in an incredibly unlikely event a bad actor tried to read data in a database, it would be unreadable. This is the top tier standard used for cloud based systems.
Encryption in-transit TLS/SSL
When logging into MeetingFull, you have a secure connection established using HTTPS. While many connections use HTTPS, we have an added layer of HSTS, to ensure that no one can forge a security certificate to bypass the security certificate validation. That leaves your data fully encrypted and allows you to feel comfortable, even on a shared WiFi connection. All connections between your browser and our application are using TLS 1.3.
For more about the MeetingFull security setup, and to see the details behind our SSL A+ rating, you can visit https://www.ssllabs.com/ and search for app.meetingfull.com.
Testing and deployments
- Penetration testing (or pen testing) is an exercise where we have cyber security systems attempt to find and exploit any software vulnerabilities in MeetingFull. The purpose of this intense, simulated attack is to find any weak spots in MeetingFull’s cyber defenses. We conduct our pen tests validating for OWASP guidelines on a weekly basis.
- Our development tasks are carefully tracked in Jira where all code commits are tied to specific Jiras. Our deployment pipeline is full CI/CD, using a combination of Jenkins with Docker for core container orchestration and GitHub for ensuring that all code is checked into the CI/CD framework before it is made available in a production environment. We use RobotFramework on Selenium for in depth application automation testing, so code gets tested as it moves between environments and cannot deploy unless the automated tests pass. Our code moves from a Dev environment with unit test coverage to a Staging environment where we run both automated and manual tests, before deploying to the final Production environment.
Other things to think about
While we’re giving you an inside view, here are a few other things you might like to know:
- All data is written to multiple disks instantly, backed up daily, and stored in multiple locations to assure that even if an unexpected disaster impacted one data center, rest assured, your data is still available, allowing the system to remain online.
- Files that our customers upload are stored using S3 on AWS infrastructure and are encrypted at rest.
- AWS’s state-of-the-art servers are protected by 24×7 interior and exterior surveillance monitoring. Only authorized personnel have access to the data center. Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents. Ingress and egress points to server rooms are secured with devices that require each individual to provide MFA before granting entry or exit. For more information, see aws.amazon.com/compliance/data-center/controls
- We comply with the law, and are committed to only sharing data if it’s legally required. That means we respect your privacy and will only share data if there is a court order that absolutely requires us to do so. Unless we’re legally prevented from it, we’ll inform you if we receive such requests.
We recognize that security is about more than encryption keys. Our security model is about trust and being very clear on the great lengths we go through to protect your data. We leverage the best security and infrastructure, built by massive companies at a scale that in-house hosting cannot match or beat. Like we shared earlier, we built a security model that we’re confident housing our own data in. That’s the best vote of confidence that we can give.
Anything we didn’t cover that you’d like more information about? Please submit a request to hello@meetingfull.com if you have other security questions. We’d love to hear from you.