# Technical / Security Overview

The **Secure Contacts App (SCA)** provides enterprise-grade security for managing business contacts on mobile devices. Its architecture balances strong data protection, GDPR compliance, and seamless integration with Microsoft Intune and Azure Active Directory (AAD).

### **Security Concept**

* **Encrypted Container:** The app functions as a protected and encrypted container, preventing uncontrolled data leakage to third-party apps or services.
* **Data Ownership:** All personal and business contact data remains under the control of the customer organization.
* **No Telemetry or External Connections:** SCA does **not collect any telemetry data** and only connects to Microsoft Azure Cloud endpoints. No data is sent to the app provider or any other third-party services.

### **Data Sources**

SCA consolidates contact information from [trusted organizational sources](https://docs.secure-contacts.com/documentation/data-sources):

* **Azure Active Directory (AAD):** Central directory for organizational contacts.
* **Global Address List (GAL):** Complete organizational contact list.
* **Personal Outlook Contacts (APC):** User-specific contacts from Exchange Online.

**Optional sources** (if enabled by the organization):

* Microsoft Dynamics 365 (D365)
* Microsoft Dataverse (DVRS) – for contacts stored by apps built on Microsoft Dataverse
* Azure Blob Storage (ABS) – for contacts exported from **any** app (including on-premises) via CSV/JSON using the SCA Blob Storage connector
* Shared Mailbox Contacts (SMC) – part of Exchange Online

SCA accesses only backend services within the customer’s Azure tenant, including Microsoft Graph API and optionally Dataverse and Blob Storage. There are **no external backend servers, remote monitoring, analytics, or data collection** by Secure Contacts.

> **Azure Enterprise App Registration:** [SCA is registered as an Azure Enterprise Application](https://docs.secure-contacts.com/documentation/authentication/enterprise-application). Access to organizational data requires **admin consent**, ensuring that all permissions are granted and controlled by the organization.

### **Requirements**

To deploy and use SCA:

* **Microsoft 365 Tenant (Worldwide)** – required for identity and organizational management.
* **Azure Active Directory Premium P1 (or higher)** – required for Conditional Access, MFA, and identity management.
* **Exchange Online Plan 1 (or higher)** – optional; needed only if accessing personal Outlook contacts (APC) or shared mailbox contacts (SMC).
* **Mobile Device Management (MDM) System** – mandatory; allows management and enforcement of security policies on mobile devices.
  * **Microsoft Intune** is preferred for full integration with SCA.
  * Other MDM systems may be used

> These requirements ensure proper security, management, and integration of SCA with Microsoft cloud services and enterprise device policies

### **Data in Transit**

* **Secure Communication:** All API calls and data transactions are encrypted using **HTTPS with TLS 1.2 or higher**.
* After SSL handshake negotiation, SCA and Azure API endpoints use the strongest encryption algorithm available on both sides.
* This ensures contact data is protected against interception during synchronization or API calls.

### **Data at Rest**

* Contacts are stored locally within the app container in a **local encrypted database**.
* Encryption keys are securely generated and stored in the **iOS Keychain** or **Android Keystore**, inaccessible to other apps or users without proper authentication.
* **Microsoft Intune App Protection Policies (APP)** provide an additional layer of container-level security.
* **Data Deletion:** When the app is uninstalled, all locally stored contact data is removed.

### **Data Processed**

SCA processes and stores the following contact information locally:

* First and last name
* Company name
* Position / job title
* Email addresses and phone numbers
* Profile photo
* Contact GUID (internal identifier)
* Data source name / ID / priority (e.g., GAL, APC, D365)
* Hash ID (for internal matching and lookup)

All data remains within the app container; **there is no external storage or monitoring** by Secure Contacts. Synchronization occurs only through trusted backend services such as Microsoft Graph API, Dataverse, or Blob Storage.

### **How Data is Processed by the App**

* When the app is launched for the first time, or the user performs a pull-to-update gesture, a **resync process** is started.
* SCA queries all configured data sources for which the user has been authorized.
* Each received contact is analyzed to:
  * Remove duplicates
  * Combine contacts from different sources where possible
  * Normalize and verify each phone number according to the international standard **ITU-T E.164**
* After processing, contact data is stored in a **local encrypted database**.
* On subsequent app launches, the contact data is loaded directly from the encrypted database.

### **Authentication**

* **PIN:** User-defined personal identifier
* **Biometric Authentication:** Touch ID or Face ID
* **Azure AD Conditional Access:** Enforces security based on device compliance and app protection status

These mechanisms ensure that only **authorized users** can access sensitive contact data.

### **Microsoft Intune Integration**

SCA integrates with **Microsoft Intune**, allowing enforcement of **App Protection Policies (APP)** and **Conditional Access Policies (CAP)**. Centralized management ensures compliance with organizational security requirements.

### **Data Flow Control**

* **Open-In Control:** Prevents opening contact data in unauthorized apps
* **Copy/Paste Control:** Limits copying and pasting from the app
* **Third-Party Keyboard Restrictions:** Disables third-party keyboards to prevent data interception
* **iCloud and Backup Restrictions:** Ensures data remains within the secure app container
* **No Unintentional Synchronization:** Prevents data from syncing with third-party apps such as WhatsApp or Google services

### **Incoming Call Identification**

* **Instant Caller Recognition**: Displays the caller’s full name and company on the device’s native incoming call screen **without syncing with the device’s local contacts**, ensuring privacy. Works even when the app is not running or offline.
* **Full Contact Details (Inside App):** Position, profile photo, contact source, and presence or Out-of-Office status are visible in the contact’s detail card within the app.
* **Presence & Out-of-Office:** Displays **Microsoft Teams presence** and Outlook/Microsoft Teams Out-of-Office messages in the contact card. These are retrieved securely via **Microsoft Graph API**.
* **Cross-Platform Support:** [Works on both **iOS and Android**](https://docs.secure-contacts.com/documentation/ios-and-android-version-of-sca-in-comparison) with enterprise-grade security and privacy protections.

All data used for caller identification remains **within approved services or the secure app container**, with no external sharing outside the organization.

### **Compliance and Data Protection**

* **GDPR Compliance:** SCA is designed in accordance with GDPR, ensuring all personal data remains under the control of the customer organization.
* **End-to-End Security:** Combines encrypted storage, secure transit, containerization, and controlled authentication to protect sensitive information.

### **Deployment Scenarios**

* **Private Use / BYOD (Bring Your Own Device):**\
  SCA can be installed on personal devices while maintaining enterprise-grade security and data protection. Intune App Protection Policies enforce containerization and prevent data leakage, even on personal devices.
* **Corporate-Owned / Private-Enabled Devices (COPE):**\
  On corporate-owned devices that allow private use, SCA can be deployed with full Intune management and Conditional Access policies, ensuring data is secure while enabling personal use.

### **Logging & Monitoring**

* **Local Logfile**: SCA maintains a daily rotating logfile for app events and diagnostics.
* **Customer-Controlled Export**: Customers may manually export logfiles for support purposes, with the ability to review and remove sensitive information before sharing.
* **No Automatic Transfer**: There is no online or automated mechanism that transfers logs to the app provider. Logfiles remain entirely under the customer’s control unless explicitly exported.

> Logs **do not contain contact content**, ensuring troubleshooting while maintaining data privacy.