Security & Data Privacy
Iristick.Teams is designed to keep your data secure and your credentials out of third-party systems. This page explains what data the app accesses, what gets stored, how communication is encrypted, and how authentication works.
This information applies to the out-of-the-box (OOTB) deployment. For the self-hosted setup, all data stays within your own Azure environment — see OOTB vs Self-Hosted.
User Data
Data stored by Iristick
The Iristick backend stores a limited set of user information for validation, logging, billing, and abuse monitoring:
| Data | Purpose |
|---|---|
| Display name | User identification |
| User ID | Account linking |
| Tenant ID | Organization mapping |
| Email address | Contact and billing |
| Call summary | Usage tracking (who called, duration, which headset) |
Call summaries contain no participant content
Call summaries only record metadata: who initiated the call, how long it lasted, and which headset was used. No information about other participants, call content, or media is stored.
Data shown but not stored
The app retrieves and displays the following through the Microsoft Graph API. This data is not stored on Iristick servers — it stays in your Microsoft 365 environment.
- Recent Microsoft Teams chats
- Microsoft Teams contacts
- Calendar meetings
Encryption
Data in transit
All communication is encrypted using industry-standard protocols:
| Connection | Protocol |
|---|---|
| App to Microsoft Graph API | HTTPS / TLS 1.2+ / SSL |
| App to Azure Communication Services | HTTPS / TLS 1.2+ / SSL |
| App to Iristick backend | HTTPS / TLS 1.2 / SSL |
The Iristick backend only receives token exchanges and call summaries. No call content or media passes through Iristick servers.
Data at rest
All stored data is encrypted using AES-256, the industry standard for data-at-rest encryption.
Authentication & Authorization
Iristick.Teams uses MSAL (Microsoft Authentication Library) to authenticate users. Here's what that means for your security:
Iristick does not store or manage user credentials. When a user signs in, MSAL redirects them to a Microsoft-owned login page. The user enters their company's Microsoft 365 credentials directly on Microsoft's platform. Iristick never sees, processes, or stores these credentials.
Your Microsoft administrator has full control. Because authentication happens through Microsoft Entra ID, your IT admin decides which permissions the app receives and which users can access it. In some cases, the admin must explicitly approve the Iristick.Teams application before users can sign in.
Tokens, not passwords. After successful authentication, Microsoft issues tokens that the app uses to access Graph API and Azure Communication Services endpoints. These tokens are scoped to the permissions your admin granted and expire automatically.
flowchart LR
A[User opens app] --> B[Redirected to Microsoft login]
B --> C[User enters M365 credentials]
C --> D[Microsoft Entra ID validates]
D --> E[Token issued to app]
E --> F[App accesses Graph API & ACS]
E --> G[Token exchange with Iristick backend]For the full list of permissions requested and admin setup instructions, see the IT Admin Setup Guide.
Self-Hosted: Full Data Control
Organizations with strict data policies can deploy Iristick.Teams in a self-hosted configuration. In this setup:
- No data or video traffic flows through Iristick servers
- All authentication and infrastructure runs in your own Azure tenant
- You control every aspect of data storage and access
See OOTB vs Self-Hosted for a detailed comparison.