Before you start syncing your Outlook calendar with your 1-on-1s, you may be wondering how we ensure the privacy of your data with the integration. Rest assured that we take the privacy of your data very seriously. Continue reading to learn more about how we secure your Outlook calendar data.
1. What does Microsoft provide in their API?
2. What do we pull from the API into our system?
3. How do we secure the data that is in our system?
1. What does Microsoft provide in their API?
To call Microsoft Graph and read Calendar events, we require an access token from the Microsoft identity platform. We only have read permissions for calendars. This is what you are giving us access to when you approve the integration.
The Limeade Listening app is registered with Microsoft Azure Active Directory as an authorized app to request access to organizations' Microsoft Graph Toolkits. When a user requests to have their Outlook calendar be integrated with Limeade Listening, the authorized Limeade Listening app in Azure Active Directory is granted access to specific resources on behalf of the user at your organization who requested the integration.
Below are the steps that we follow with Microsoft Graph when a user adds the Outlook integration to their account:
1. The user logs in to their Microsoft account and gives their consent to sync their Outlook calendar with Limeade Listening so that the 1-on-1s page can be authorized to access their Outlook events.
2. We get an access token from Microsoft. (Limeade Listening is registered with Microsoft as an identity platform and can be authorized by a Microsoft user to access Microsoft Graph.)
3. We call Microsoft Graph with the access token that is provided to us. Limeade Listening then fetches the data from the Microsoft Graph API as in the example below.
HTTP request
The following is an example of a user's calendar:
1https://graph.microsoft.com/v1.0/me/calendars/{id}/calendarview?startDatetime=2021-05-28T14:58:39&en
Response
If successful, this method returns a 200 OK response code and the calendar object in the response body. We exclude body and bodyPreview attributes upon fetching recurring events from Outlook Calendar. The following is an example of the response data from the Microsoft Graph API:
1{ 2 "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('1781a97d-8a09-4179-b40d-fddb5c53d31a')/calendars('AQMkADcyNzQxNmVkLTg1OTEtNGU4My1iZjRhLTA3OGU5YTE2MmNiMQBGAAAD-2iESTCQHkG0NpG8YwDBwAcAlCyGeTulaUWJBctu1aa7bQAAAgEGAAAAlCyGeTulaUWJBctu1aa7bQABQAHpJwAAAA%3D%3D')/calendarView(attendees,categories,changeKey,createdDateTime,end,hasAttachments,iCalUId,id,importance,isAllDay,isCancelled,isOrganizer,isReminderOn,lastModifiedDateTime,location,locations,onlineMeetingUrl,organizer,originalEndTimeZone,originalStart,originalStartTimeZone,recurrence,reminderMinutesBeforeStart,responseRequested,responseStatus,sensitivity,seriesMasterId,showAs,start,subject,type,webLink,attachments,calendar,extensions,instances,multiValueExtendedProperties,singleValueExtendedProperties)", 3 "value": [ 4 { 5 "@odata.etag": "W/\"lCyGeTulaUWJBctu1aa7bQACXtRGPg==\"", 6 "id": "AAMkADcyNzQxNmVkLTg1OTEtNGU4My1iZjRhLTA3OGU5YTE2MmNiMQFRAAgI2SVZXXaAAEYAAAAA-2iESTCQHkG0NpG8YwDBwAcAlCyGeTulaUWJBctu1aa7bQAAAAABDQAAlCyGeTulaUWJBctu1aa7bQACXwD34wAAEA==", 7 "createdDateTime": "2021-05-28T08:10:36.0163396Z", 8 "lastModifiedDateTime": "2021-05-28T08:10:37.0916191Z", 9 "changeKey": "lCyGeTulaUWJBctu1aa7bQACXtRGPg==", 10 "categories": [], 11 "originalStartTimeZone": "SE Asia Standard Time", 12 "originalEndTimeZone": "SE Asia Standard Time", 13 "iCalUId": "040000008200E00074C5B7101A82E00807E5060203B22AF09853D7010000000000000000100000002D3811DD6CBB4C4CBFDF5B1644F7EA24", 14 "reminderMinutesBeforeStart": 15, 15 "isReminderOn": true, 16 "hasAttachments": false, 17 "subject": "1-on-1 meeting", 18 "importance": "normal", 19 "sensitivity": "normal", 20 "originalStart": "2021-06-02T01:00:00Z", 21 "isAllDay": false, 22 "isCancelled": false, 23 "isOrganizer": true, 24 "responseRequested": true, 25 "seriesMasterId": "AQMkADcyNzQxNmVkLTg1OTEtNGU4My1iZjRhLTA3OGU5YTE2MmNiMQBGAAAD-2iESTCQHkG0NpG8YwDBwAcAlCyGeTulaUWJBctu1aa7bQAAAgENAAAAlCyGeTulaUWJBctu1aa7bQACXwD34wAAAA==", 26 "showAs": "busy", 27 "type": "occurrence", 28 "webLink": "https://outlook.office365.com/owa/?itemid=AAMkADcyNzQxNmVkLTg1OTEtNGU4My1iZjRhLTA3OGU5YTE2MmNiMQFRAAgI2SVZXXaAAEYAAAAA%2F2iESTCQHkG0NpG8YwDBwAcAlCyGeTulaUWJBctu1aa7bQAAAAABDQAAlCyGeTulaUWJBctu1aa7bQACXwD34wAAEA%3D%3D&exvsurl=1&path=/calendar/item", 29 "onlineMeetingUrl": null, 30 "responseStatus": { 31 "response": "organizer", 32 "time": "0001-01-01T00:00:00Z" 33 }, 34 "start": { 35 "dateTime": "2021-06-02T01:00:00.0000000", 36 "timeZone": "UTC" 37 }, 38 "end": { 39 "dateTime": "2021-06-02T01:30:00.0000000", 40 "timeZone": "UTC" 41 }, 42 "location": { 43 "displayName": "", 44 "locationType": "default", 45 "uniqueIdType": "unknown", 46 "address": {}, 47 "coordinates": {} 48 }, 49 "locations": [], 50 "recurrence": null, 51 "attendees": [ 52 { 53 "type": "required", 54 "status": { 55 "response": "none", 56 "time": "0001-01-01T00:00:00Z" 57 }, 58 "emailAddress": { 59 "name": "may261@tinypulse.com", 60 "address": "may261@tinypulse.com" 61 } 62 } 63 ], 64 "organizer": { 65 "emailAddress": { 66 "name": "Phong", 67 "address": "phong@tinypulse.com" 68 } 69 } 70 }, 71 { 72 "@odata.etag": "W/\"lCyGeTulaUWJBctu1aa7bQACXtRGPg==\"", 73 "id": "AAMkADcyNzQxNmVkLTg1OTEtNGU4My1iZjRhLTA3OGU5YTE2MmNiMQFRAAgI2SrZhlrAAEYAAAAA-2iESTCQHkG0NpG8YwDBwAcAlCyGeTulaUWJBctu1aa7bQAAAAABDQAAlCyGeTulaUWJBctu1aa7bQACXwD34wAAEA==", 74 "createdDateTime": "2021-05-28T08:10:36.0163396Z", 75 "lastModifiedDateTime": "2021-05-28T08:10:37.0916191Z", 76 "changeKey": "lCyGeTulaUWJBctu1aa7bQACXtRGPg==", 77 "categories": [], 78 "originalStartTimeZone": "SE Asia Standard Time", 79 "originalEndTimeZone": "SE Asia Standard Time", 80 "iCalUId": "040000008200E00074C5B7101A82E00807E5060903B22AF09853D7010000000000000000100000002D3811DD6CBB4C4CBFDF5B1644F7EA24", 81 "reminderMinutesBeforeStart": 15, 82 "isReminderOn": true, 83 "hasAttachments": false, 84 "subject": "1-on-1 meeting", 85 "importance": "normal", 86 "sensitivity": "normal", 87 "originalStart": "2021-06-09T01:00:00Z", 88 "isAllDay": false, 89 "isCancelled": false, 90 "isOrganizer": true, 91 "responseRequested": true, 92 "seriesMasterId": "AQMkADcyNzQxNmVkLTg1OTEtNGU4My1iZjRhLTA3OGU5YTE2MmNiMQBGAAAD-2iESTCQHkG0NpG8YwDBwAcAlCyGeTulaUWJBctu1aa7bQAAAgENAAAAlCyGeTulaUWJBctu1aa7bQACXwD34wAAAA==", 93 "showAs": "busy", 94 "type": "occurrence", 95 "webLink": "https://outlook.office365.com/owa/?itemid=AAMkADcyNzQxNmVkLTg1OTEtNGU4My1iZjRhLTA3OGU5YTE2MmNiMQFRAAgI2SrZhlrAAEYAAAAA%2F2iESTCQHkG0NpG8YwDBwAcAlCyGeTulaUWJBctu1aa7bQAAAAABDQAAlCyGeTulaUWJBctu1aa7bQACXwD34wAAEA%3D%3D&exvsurl=1&path=/calendar/item", 96 "onlineMeetingUrl": null, 97 "responseStatus": { 98 "response": "organizer", 99 "time": "0001-01-01T00:00:00Z" 100 }, 101 "start": { 102 "dateTime": "2021-06-09T01:00:00.0000000", 103 "timeZone": "UTC" 104 }, 105 "end": { 106 "dateTime": "2021-06-09T01:30:00.0000000", 107 "timeZone": "UTC" 108 }, 109 "location": { 110 "displayName": "", 111 "locationType": "default", 112 "uniqueIdType": "unknown", 113 "address": {}, 114 "coordinates": {} 115 }, 116 "locations": [], 117 "recurrence": null, 118 "attendees": [ 119 { 120 "type": "required", 121 "status": { 122 "response": "none", 123 "time": "0001-01-01T00:00:00Z" 124 }, 125 "emailAddress": { 126 "name": "may261@tinypulse.com", 127 "address": "may261@tinypulse.com" 128 } 129 } 130 ], 131 "organizer": { 132 "emailAddress": { 133 "name": "Phong", 134 "address": "phong@tinypulse.com" 135 } 136 } 137 } 138 ] 139}
2. What do we pull from the API into our system?
In Limeade Listening
After fetching Outlook events from Microsoft Graph, the 1-on-1s page selects the events that meet our requirements and display the list in 1-on-1s Outlook page.
Outlook calendar events will only be displayed as an option for a 1-on-1 if they meet all of the following conditions:
- The Outlook event must be a recurring meeting
- The Outlook event must only include you (the manager) and your direct report
- The privacy settings on your calendar event must be public so that Limeade Listening can see the event
- The Outlook event must be a unique creation - please make sure that it is not copied and pasted from another event
In our database
In our database, we store the provider_data which is granted to us with the Microsoft Graph API.
The following is an example of the data we store from the Microsoft Graph API:
1{ 2 "id": "AAMkADliODkzZWY3LTllYzAtNDBiZi04MTU0LWNlOTIxNWE3MDFmZAFRAAgI2TtaAQeAAEYAAAAATBx21GhwC0SkJVGP8P4K-gcAGjtRCEQQa0eljhSJXnPrmAAAALidtgAAHgaZ3DsqzUWXn5Gl_FDdRAACK8mO_wAAEA==", 3 "end": { 4 "date_time": "2021-06-30T23:15:00.0000000", 5 "time_zone": "America/Los_Angeles" 6 }, 7 "type": "occurrence", 8 "start": { 9 "date_time": "2021-06-30T22:45:00.0000000", 10 "time_zone": "America/Los_Angeles" 11 }, 12 "showAs": "busy", 13 "iCalUId": "040000008200E00074C5B7101A82E00807E5061ED095127C4C19D60100000000000000001000000027FA54554C06BC40B04EEB0254466606", 14 "subject": "Werner / Jesse O3", 15 "webLink": "https://outlook.office365.com/owa/?itemid=AAMkADliODkzZWY3LTllYzAtNDBiZi04MTU0LWNlOTIxNWE3MDFmZAFRAAgI2TtaAQeAAEYAAAAATBx21GhwC0SkJVGP8P4K%2FgcAGjtRCEQQa0eljhSJXnPrmAAAALidtgAAHgaZ3DsqzUWXn5Gl%2BFDdRAACK8mO%2BwAAEA%3D%3D&exvsurl=1&path=/calendar/item", 16 "declined": null, 17 "isAllDay": false, 18 "location": { 19 "uniqueId": "Microsoft Teams Meeting", 20 "displayName": "Microsoft Teams Meeting", 21 "locationType": "default", 22 "uniqueIdType": "private" 23 }, 24 "provider": "microsoft", 25 "attendees": [ 26 { 27 "type": "required", 28 "status": { 29 "time": "0001-01-01T00:00:00Z", 30 "response": "none" 31 }, 32 "emailAddress": { 33 "name": "Jesse Smith", 34 "address": "jesse.smith@smartdolphins.com" 35 } 36 }, 37 { 38 "type": "required", 39 "status": { 40 "time": "2020-12-07T16:45:12.057Z", 41 "response": "accepted" 42 }, 43 "emailAddress": { 44 "name": "Werner Baron", 45 "address": "werner.baron@smartdolphins.com" 46 } 47 } 48 ], 49 "changeKey": "HgaZ3DsqzUWXn5Gl+FDdRAADy11vtw==", 50 "locations": [ 51 { 52 "uniqueId": "ec7c7126-ad45-4f26-beb9-442fc830feb0", 53 "displayName": "Microsoft Teams Meeting", 54 "locationType": "default", 55 "uniqueIdType": "locationStore" 56 } 57 ], 58 "organizer": { 59 "emailAddress": { 60 "name": "Jesse Smith", 61 "address": "jesse.smith@smartdolphins.com" 62 } 63 }, 64 "categories": [ 65 "Orange category" 66 ], 67 "importance": "normal", 68 "recurrence": [], 69 "@odata.etag": "W/\"HgaZ3DsqzUWXn5Gl+FDdRAADy11vtw==\"", 70 "isCancelled": false, 71 "isOrganizer": true, 72 "sensitivity": "normal", 73 "isReminderOn": true, 74 "originalStart": "2021-06-30T22:45:00Z", 75 "hasAttachments": false, 76 "responseStatus": { 77 "time": "0001-01-01T00:00:00Z", 78 "response": "organizer" 79 }, 80 "seriesMasterId": "AAMkADliODkzZWY3LTllYzAtNDBiZi04MTU0LWNlOTIxNWE3MDFmZABGAAAAAABMHHbUaHALRKQlUY-w-gr_BwAaO1EIRBBrR6WOFIlec_uYAAAAuJ22AAAeBpncOyrNRZefkaX4UN1EAAIryY77AAA=", 81 "createdDateTime": "2020-04-23T15:52:24.6158594Z", 82 "onlineMeetingUrl": null, 83 "provider_event_id": "AAMkADliODkzZWY3LTllYzAtNDBiZi04MTU0LWNlOTIxNWE3MDFmZAFRAAgI2TtaAQeAAEYAAAAATBx21GhwC0SkJVGP8P4K-gcAGjtRCEQQa0eljhSJXnPrmAAAALidtgAAHgaZ3DsqzUWXn5Gl_FDdRAACK8mO_wAAEA==", 84 "responseRequested": true, 85 "originalEndTimeZone": "Pacific Standard Time", 86 "original_start_time": { 87 "date_time": "2021-06-30T22:45:00Z", 88 "time_zone": "America/Los_Angeles" 89 }, 90 "lastModifiedDateTime": "2021-03-13T16:19:33.7438326Z", 91 "originalStartTimeZone": "Pacific Standard Time", 92 "provider_parent_event_id": "AAMkADliODkzZWY3LTllYzAtNDBiZi04MTU0LWNlOTIxNWE3MDFmZABGAAAAAABMHHbUaHALRKQlUY-w-gr_BwAaO1EIRBBrR6WOFIlec_uYAAAAuJ22AAAeBpncOyrNRZefkaX4UN1EAAIryY77AAA=", 93 "reminderMinutesBeforeStart": 15 94}
3. How do we secure the data that is in our system?
Since we are a cloud-stored software service, all of our data is stored in Amazon's secure data centers (AWS Aurora databases) located in the United States in Virginia. Limeade Listening uses secure methods supplied by AWS to connect our data to their secure data centers. Our data is backed up daily and our backup retention period is 45 days.
Only granted and authorized employees (on behalf of Limeade Listening) have access to the data centers to do maintenance tasks, and every employee’s action is logged and audited.
Limeade Listening is ISO 27001 compliant and does an annual penetration test to find any security vulnerabilities.