Technology and data security

Managing your business contacts in compliance with data protection regulations

The Secure Contacts app enables the management of business contacts on a smartphone in compliance with data protection regulations. Full integration with Microsoft Intune protects personal data and prevents synchronization with third-party apps such as WhatsApp, Google, etc. Users don’t have to store and maintain a single business contact on their own device.

All business data from the company address book, the personal Outlook address book, and customer data from any CRM systems or other sources are available in the app and managed centrally. It acts as a protected and encrypted container that prevents unintentional data loss to third-parties.

All the features at a glance

Safety & privacy

GDPR-compliant

Prevent uncontrolled loss of contact data by apps with access to the device’s phonebook (e.g., WhatsApp).

Encryption

256-bit AES encryption of data

Control over the data

No storage of data in iCloud or local backups and deletion in case of:
• Loss of the device
• Leaving the company
• Suspicious behavior

Control over data flow

Open-in control:
• Control of useful messenger and
telephony apps
• Deactivation of local data storage
Copy/paste control

Access protection

• PIN, TouchID, or FaceID before using the app
• Azure AD Conditional Access based on device status (= compliant device)

Usability & management

Outgoing calls and caller identification

Contacts from personal contacts in Outlook, company address book, CRM systems, and Microsoft Dataverse

Microsoft Teams status display

Display of Microsoft Teams status for contacts from the company address book

Integratable telephony and messenger applications

• Cell phone
• MS Teams
• Other services such as Cisco Jabber

Automated data maintenance

• Merging duplicate contacts
• Quick search in the address book

Central management of the app via Microsoft Intune

App-based configuration:
• App protection policies
• App configuration policies
• Global filtering rules for contacts
• CI customization

Architecture

Security concept

The security concept of the app is based on two components: First, data within the app is encrypted, and second, a security configuration is applied to the app via Microsoft UEM System Endpoint Management (Intune).

Data sources

The Secure Contacts app is a cloud-native app, which means it receives all of your Azure tenant’s contact information. Primary data sources are the Azure Active Directory (AAD) and the Global Address List (GAL). In addition, the app receives contact information from the user’s personal Outlook contacts (APC) (Exchange Online only). Optional data sources include Dynamics 365 (D365), MS Dataverse (DVRS), and Azure Blob Storage (ABS), which require additional configuration in the customer’s Azure tenant.

App data in transit

The app communicates only with the MS Azure Cloud, which means primarily with the Graph API and Azure Authentication Endpoint, and optionally with Azure Blob Storage and Azure Dataverse. All API calls or transactions are made via HTTPS with Transport Layer Security (TLS). After the SSL handshake, the Secure Contacts app and Azure API endpoints use the strongest encryption algorithm available on both sides. The app does not collect telemetry data in the process, nor does it connect to any endpoints other than the MS Azure Cloud.

App data at rest

The Secure Contacts app stores all data in a SQLite database with AES-256 encryption. The cryptography key is randomly generated using Microsoft’s RNGCryptoServiceProvider when the app is first launched. It is then securely stored in the device’s local iOS key chain. The app container itself is secured by MS Intune app protection. As a result, neither another app nor the operating system itself can view or modify the stored data.

Microsoft Intune

In addition to the security features, the Secure Contacts app also integrates the Microsoft Intune SDK. This enables features to be managed via Microsoft app protection policies.

These include, but are not limited to, the following features:

Secure access using app PIN or biometric factors
App data encryption
Control over data flow:
- Control of the OpenIn function: In which apps is OpenIn allowed?
- Copy/paste control: In which apps is copy/paste allowed?
- Links control: In which apps can calls, emails, chats be started and which web browser should be used?
- Access control when printing data
Selective deletion of app data, e.g., if the device is lost

The customer configures the Microsoft app protection policies. It is up to you to decide which of these features are enabled or disabled. We only make recommendations.

Authentication

Authentication is based on the Microsoft Authentication Library. It is used to log in to the “Provectus—Secure Contacts” Microsoft Azure AD Enterprise app using a business, school, or university account. The user IDs used for login can be found in your tenant.
You configure the Azure AD user account security (password, login factors, etc.). It is up to you to decide which account security configuration to use.

Microsoft Conditional Access is used to manage which devices can use the app. This can be used, for example, to specify that the app may only be used on company-owned, MDM-managed, or privately-owned devices. The customer also configures the Microsoft Conditional Access policies. You define what types of access are allowed or not allowed.

FAQ: Frequently Asked Questions

Data structure & how it works

Data model

Features

Requirements

What data is processed?

The Secure Contacts app processes the following contact information:

• First and last name
• Company name
• Position/job title
• All stored email addresses
• All stored phone numbers
• Profile photos
• Contact GUID
• Data source name/ID/priority
• Hash ID

How is the data in the app processed?

The resync process initiates when the app is launched for the first time or when the user performs pull-to-update. During the resync process, the app queries all configured data sources the user has been authorized for. It then analyzes each received contact, removes duplicates, merges contacts from different data sources and, if possible, standardizes each phone number using the international format (ITU-T E. 164). After that, the contact data is encrypted and stored in the local SQLite Cipher database. The next time the program is started, the contact data will be loaded from the database.

How are incoming calls identified?

The Secure Contacts app uses Apple’s iOS CallKit blocking & identification feature. Before an incoming call, the phone numbers needing identification are loaded from the Call Directory extension and stored by the operating system hidden from all other apps on the phone. When the phone gets an incoming call, the system first searches the user’s local contacts to find a matching phone number. If no match is found, the system then searches the Secure Contacts app’s caller directory to find a matching caller identification entry.

How is the display of MS Teams status integrated?

If configured, the Secure Contacts app uses the Graph API to periodically query the status of MS Teams. To do this, it sends the GUID of each contact originating from Azure Active Directory [AAD] to the Graph API and then retrieves the status information. This information is then included in the current view of the application. Depending on the current view, the query interval is between 20 and 60 seconds. The application stops querying the status of MS Teams when it is running in the background.

What licenses do I need for my Microsoft tenant?

• Azure Active Directory Premium P1 (or higher)
• Exchange Online P1 (or higher)
• Microsoft Intune

What device requirements does the app have?

• iPhone with iOS 15 or later
• iPad with iOS 15 or later