Security FAQ

This  FAQ provides quick answers on how Cira Apps Ltd. handles customer data and addresses data security concerns. For answers to technical questions, check out the Support Page.  


How does CiraSync handle data security?

As a SaaS company, CiraSync integrates with Microsoft Azure using the Azure Consent Framework. If you are a subscriber, your data is kept within the Microsoft Cloud. Read SaaS Security: How We Keep Subscriber Data Safe and Secure and our Privacy Policy for more details on how we handle user data and keep it safe. 

I am not sure about granting Cira Apps Ltd access to my Global Admin account.

We understand the concerns around granting a third-party SaaS provider Global Admin access. There are two key API calls that CiraSync EE requires.  Microsoft does not allow the use of the APIs via the consent process unless a Global Administrator is used. Once you log on to the CiraSync dashboard using the service account and grant consent, you can then demote the service account. See How to lock down the Service Account for details. 

Our SaaS infrastructure requires access to contacts, calendar and notes. Since CiraSync uses the Azure consent model, no passwords are ever transmitted to CiraSync. A token is issued when an Office 365 global admin grants consent to CiraSync. It is not possible to use this token for any other application. Subscriber data is kept in the Microsoft Cloud. More details here: How We Handle Your Security

Is CiraSync HIPAA compliant?

CiraSync service does not handle any patient-related data, so there is no need for it to be HIPAA compliant. CiraSync only reads contacts and calendar events from the Office 365 source. We have many hospices and medical practices as customers who use CiraSync for this functionality.  

Will you sign a HIPAA Business Associate Agreement with our company?

Yes, we will. Send us your HIPAA BAA for review, and we can complete it as needed. 

I can’t create an account with the global admin role because all the global admins in my organization have multi-factor authentication. What do I do ?

In this case, it is better to lock the service account policy to specific IP addressesIf you are in the EU, the following IP addresses are used in the EU Azure cloud: