3 Security and Privacy in the Wrepit solution
Wrepit is sincere in its pledge to protect your security and privacy. We have implemented best practice authentication and security solutions, and have solid internal processes and routines.
3.1 Identity Management
Wrepit authenticates users in 2 different locations – Word and Wrepit (See 1.1 Word vs Wrepit).
3.1.1 Authenticating in Word
Authentication in Word is not required. You can use Word without any of our add-ins.
If you are using our Excel2Word by Wrepit add-in, the add-in needs to authenticate the Microsoft 365 user which can give delegated access via MS Graph to Excel files in the user’s Sharepoint. The add-in utilizes an Enterprise Application with delegated Permissions, and authenticates to the Enterprise Application using the Microsoft Authentication Library (MSAL). Authentication is fully handled in the add-in browser client, and no data is sent to Wrepit servers.
3.1.2 Authenticating in Wrepit Portal
Authentication in the Wrepit Portal is required. Wrepit utilizes Auth0 as a state-of-the-art authentication provider. With our Auth0 integration, users can sign up with:
- Username and Password
- Their Google account
- Their Microsoft 365 account (Enterprises may require installation: 1.2 Required installation)
See Auth0 Universal Login and how to connect Auth0 to Azure Active Directory for more information about Auth0. Wrepit uses the multitenant Azure AD approach.
Can users change authentication method?
Yes, users can merge accounts with the same email address. Merging requires authenticating both accounts, and this is handled by the Wrepit signup user flow.
Users who have signed up with their Google or Microsoft accounts may not create a new Username and Password account. Similarly, users who merge their Username and Password account with a more secure solution (Google or Microsoft) are not longer able to sign in with Username and Password.
Can we enforce authentication from Microsoft 365 (Entra / AAD) accounts?
Yes, this is available as an Enterprise feature in Wrepit. If enabled, you can specify that signing in must occur from a specific Microsoft Entra tenant, decided by your Entra tenant ID.
Can we automatically provision users from our Entra / AAD tenant into our workspace in Wrepit?
Yes, this is available as an Enterprise feature in Wrepit. By enabling this you can manage who are allowed to sign in with their Entra/AAD accounts directly in your Entra/AAD settings.
Newly provisioned users are added to your workspace with Reader privileges. Elevating their permissions is done within the Wrepit portal workspace settings.
3.2 Hosting
Your data is hosted in 3 different locations, your Microsoft 365 (MS 365) tenant, and our services on Amazon Web Services (AWS) and Vercel.
- Working in Word: Your data is hosted on your own computers or within your own MS 365 tenant, typically on Sharepoint. The MS 365 hosting is managed by your organization. Wrepit provides add-ins in MS Word that are hosted on AWS and Vercel. The add-ins never collect any of your data.
- Working in Wrepit Portal: Your data is stored in AWS and Auth0, and presented to you in applications hosted on both AWS and Vercel. Data storage uses a combination of AWS Aurora PostgreSQL and AWS S3.
All your data is encrypted and the database is disconnected from the Internet, and only accessible through a secure Amazon API Gateway.
Wrepit has logging and monitoring in place for all critical systems.
3.3 Encryption
All data is encrypted both in transit and at rest.
Data in transit is secure using HTTPS/TLS.
Wrepit uses Amazon S3 and Amazon Aurora for data storage and leverages their respective built-in features for encryption at rest. Auth0 applies both at-rest and in-transit encryption.
3.4 Data Storage
As mentioned in Hosting, Wrepit only stores data when you work inside the Wrepit Portal. The data stored by Wrepit is:
- Your organization’s users within Wrepit, including email addresses, sign-in methods and names. (Auth0 and AWS)
- Word documents uploaded to Wrepit by your organization’s users, and both textual and media content from these documents. (AWS)
- User and Workspace settings. (AWS)
In addition we store visitor data to your publications with privacy friendly analytics solution Plausible.
3.4.1 Dedicated or Multi-tenant environment?
Your data when working in Word is stored in your own dedicated MS 365 tenant.
Your data when working in Wrepit Portal is stored in a multi-tenant environment. The data stored in the multi-tenant environment is segregated logically by authentication barriers and scopes. The logic is rigourously tested and has also been penetration tested by a third party.
3.4.2 Who has access to the infrastucture, hardware, software, and data?
No one in Wrepit has access to your MS 365 tenants, or any data you create or interact with in MS Word when using our add-ins for MS Word.
Only select, credentialed employees have access to data stored in Wrepit controlled servers. Access to these data is secured via explicit access procedures which trigger audit logs, meaning all such access is logged. According to Wrepit procedures, accessing such data is strongly discouraged, and the access is only used when strictly necessary.
3.5 Data locations
Your data is stored with GDPR legislation in mind in European Economic Area (EEA) servers. Refer to our Privacy Policy for more information.
3.6 Data backups
Wrepit Portal data, including user information and your documents/publications, is backed up by replication to offsite AWS data centers within the EEA.