Secure by Design


Outlook add-ins are different from COM or VSTO add-ins, which are older integrations specific to Outlook running on Windows. Unlike COM add-ins, Outlook add-ins don’t have any code physically installed on the user’s device or Outlook client. For an Outlook add-in, Outlook reads the manifest and hooks up the specified controls in the UI, and then loads the JavaScript and HTML. The web components all run in the context of a browser in a sandbox.

Outlook on Windows uses a JavaScript file, while Outlook on the web uses an HTML file that can reference the same JavaScript file. References to both these files are supplied in the Resources node of the manifest (XML) and the Outlook platform ultimately determines whether to use HTML or JavaScript based on the Outlook client.

Per Microsoft’s guidance, our event-based add-in is short-running, lightweight, and as non-invasive as possible. We use the “event.completed method” to signal that our add-in has completed processing the launch event. If, for any reason the add-in has remained open, Outlook automatically ends ait when the user closes the compose window.

For additional technical information, read Microsoft’s Privacy and security for Office Add-ins article.

Our servers are secured using industry best practices. Access is limited to only Digitech Branding employees who need access for business purposes. Our services are hosted on Heroku and AWS and are protected with Cloudflare. Encryption is via Cloudflare “Modern TLS Only” forcing all HTTPS traffic to be served over TLS 1.2. Our primary data locations are AWS US East (N. Virginia) and AWS US East (Ohio) with AWS US West (N. California) used for some data backup. Additionally, we maintain an offline backup that can be started in emergency in AWS Europe (Ireland) - this is compute only (data still resides in the primary locations).

The application uses Office 365 OAuth to authenticate the users. No password is collected, transmitted, or stored by the application. The application stores a token after the user authorized the app that provides limited access to update the user’s signature settings. This token is stored only on the users local computer and is never transmitted to Dynasend servers. It is used only to communicate directly to Office 365 servers from the user’s local computer.

No Access to Your Email

Unlike many of our competitors, our process does not require that your email messages be routed through our servers for the signatures to be applied or “stamped”. Rather, we treat email signatures as Microsoft & Google intended them, by using the email signature functionality that’s been built into their email client programs.