CiraSync Data Security

Watch the video to learn about the CiraSync Data Flow Architecture.

white paper

CiraSync User Data Security

Cira Apps Ltd. takes user data security very seriously and has taken multiple actions to ensure user data is kept secure and is compliant with all existing data security laws.

This white paper includes the following security topics:

  • CiraSync integration with Microsoft Azure and the Azure Consent Network.
  • How user data flows through CiraSync.
  • CiraSync compliance with GDPR.
  • Cira Apps data privacy policies.

Security FAQ

This  FAQ provides quick answers on how Cira Apps Ltd. handles customer data and addresses data security concerns. For answers to technical questions, check out the Support Page.

How does CiraSync handle data security?

As a SaaS company, CiraSync integrates with Microsoft Azure using the Azure Consent Framework. If you are a subscriber, your data is kept within the Microsoft Cloud. Read the following for more details on how we handle user data and keep it safe: 

I am not sure about granting Cira Apps Ltd access to my Global Admin account.

We understand the concerns around granting a third-party SaaS provider Global Admin access. There are two key API calls that CiraSync EE requires.  Microsoft does not allow the use of the APIs via the consent process unless a Global Administrator is used. Once you log on to the CiraSync dashboard using the service account and grant consent, you can then demote the service account. See Securing the CiraSync Service Account for details. 

Our SaaS infrastructure requires access to contacts, calendar and notes. Since CiraSync uses the Azure consent model, no passwords are ever transmitted to CiraSync. A token is issued when an Microsoft 365 global admin grants consent to CiraSync. It is not possible to use this token for any other application. Subscriber data is kept in the Microsoft Cloud. More details here: How We Handle Your Security

Is CiraSync HIPAA compliant?
CiraSync service does not handle any patient-related data, so there is no need for it to be HIPAA compliant. CiraSync only reads contacts and calendar events from the Microsoft 365 source. We have many hospices and medical practices as customers who use CiraSync for this functionality.
Will you sign a HIPAA Business Associate Agreement with our company?
Yes, we will. Send us your HIPAA BAA for review, and we can complete it as needed. 
Can you send us a DPA or similar?

Yes, we send any and all security related information upon request. To recieve a DPA from us, please contact our Customer Succcess Team by submitting a Support Ticket.

CiraSync Compliance with GDPR

CiraSync takes user data security very seriously. For European Union (EU) customers, we at Cira Apps have modified the CiraSync user experience to comply with the General Data Protection Regulation (GDPR).

Setting Microsoft 365 CiraSync Data Residency

At CiraSync, there are cloud workers that sync information to smartphones and Exchange mailboxes. These workers live in data centers in the European Union (EU) and North America. To comply with existing data security laws and protect user data, CiraSync data residency settings can be set right on the CiraSync tenant dashboard. 

Securing the CiraSync Service Account

We recommend that CiraSync Enterprise Edition users create a dedicated service account to serve as the Global Administrator for CiraSync. This account is secure because CiraSync is an application that lives in the Microsoft Azure Cloud. However, we do take any and all security concerns seriously, and we at Cira Apps have complied extra security measures that can be taken to secure the CiraSync service account.