How does CiraSync handle data security?
I am not sure about granting Cira Apps Ltd access to my Global Admin account.
We understand the concerns around granting a third-party SaaS provider Global Admin access. There are two key API calls that CiraSync EE requires. Microsoft does not allow the use of the APIs via the consent process unless a Global Administrator is used. Once you log on to the CiraSync dashboard using the service account and grant consent, you can then demote the service account. See How to lock down the Service Account for details.
Our SaaS infrastructure requires access to contacts, calendar and notes. Since CiraSync uses the Azure consent model, no passwords are ever transmitted to CiraSync. A token is issued when an Office 365 global admin grants consent to CiraSync. It is not possible to use this token for any other application. Subscriber data is kept in the Microsoft Cloud. More details here: How We Handle Your Security.
Is CiraSync HIPAA compliant?
CiraSync service does not handle any patient-related data, so there is no need for it to be HIPAA compliant. CiraSync only reads contacts and calendar events from the Office 365 source. We have many hospices and medical practices as customers who use CiraSync for this functionality.
Will you sign a HIPAA Business Associate Agreement with our company?
Yes, we will. Send us your HIPAA BAA for review, and we can complete it as needed.
I can’t create an account with the global admin role because all the global admins in my organization have multi-factor authentication. What do I do ?
In this case, it is better to lock the service account policy to specific IP addresses. If you are in the EU, the following IP addresses are used in the EU Azure cloud: