Security and Trust in Wrepit

Wrepit

: To display basic user information in the add-in.

Files → Permissions → Use Sharing Links

: To get the Excel file from a Sharepoint Sharing Link and read its contents.

Since the add-in is built as a Single Page Application (SPA), every API interaction occurs client-side and can be inspected in the browser network tab inside MS Word.

Wrepit is built using Security first and Privacy first principles. We pledge to take good care of your data, and never to share your data with any third parties except by your explicit consent or request.

Add-ins are plugins that integrate with Microsoft Word. Add-ins provided by Wrepit are intended for desktop use on Windows and Mac computers. 

Data never leaves the add-ins. Add-ins only transit data into your Word document.

Add-ins for MS Word are downloadable from Microsoft App Source. They are web applications that operate inside a sandboxed browser environment directly within the MS Word application, and has access to a Javascript API to read and modify the Word document. (

Microsoft Documentation for Developing Add-ins

Microsoft Graph is your organization’s internal Microsoft API, and can be used to e.g. obtain user information and interact with your Sharepoint. MS Graph is built with a permission system, where you can grant external parties permissions to certain parts of your MS Graph API. For instance, to read your user data from MS Graph, the permission 

Wrepit add-ins operate within the sandboxed browser environment inside Microsoft Word. Thus they have access to read and modify the data in the Word document. 

To be transparent, Wrepit has built the add-ins as Single-Page Applications (SPA), running inside the sandboxed browser. The reason for designing the add-ins this way is to maintain data transparency: Wrepit could never collect data to any servers without leaving traces in the browser network tab. This supports our pledge that no data should ever leave the Microsoft Word environment.

Add-ins store necessary metadata inside your Word document using Content Controls or the 

. No add-in data is sent to Wrepit servers or to any third parties.

 you will be presented with a set of Microsoft Graph permissions you must approve. This article explains which permissions the add-in requires and how they are used.

Overview of Security, Privacy and Architecture

Microsoft Graph has 2 different sets of permissions: application permissions and delegated permissions. Application permissions allows the application to act as any user, whereas delegated permissions allows only signed-in users of the application. 

All permissions requested by Excel2Word by Wrepit are delegated permissions. The add-in is run in a sandboxed browser environment on the user’s computer. Thus the permissions for the user of the add-in are limited by both the MS Graph permissions and the MS 365 user’s permissions.

By using delegated permissions, users of the add-in will never have access to anything they wouldn’t otherwise have access to in your organization’s Microsoft 365 tenant. Since 

 only accesses Excel files in your organization, the user can only access Excel files that have been shared directly with the user.

 docs for more details on delegated permissions.

 requires the following permissions, following the least necessary access principle:

Used to sign in to the add-in and read the user profile

 to Excel files, and to retrieve the contents of the Excel file.

 for full details on what permissions scopes grants access to what, as well as a full explainer from Microsoft on 

How Excel2Word by Wrepit uses these permissions

After having received the MS Graph permissions, the add-in uses your MS Graph API to call the following API endpoints:

Security and Trust in WrepitOverview of Security, Privacy and Architecture