Wrike for Outlook

Click here for more information on the Microsoft Certified app program.

Last updated by the developer on: March 23, 2020

General information

Information provided by Wrike Inc. to Microsoft:

Information Response
App name Wrike for Outlook
ID WA104381120
Office 365 clients supported Outlook 2013 or later on Windows, Outlook 2016 or later on Mac, Outlook on iOS, Outlook on the web, Outlook on Android
Partner company name Wrike Inc.
URL of partner website https://www.wrike.com/
URL of Privacy Policy https://www.wrike.com/privacy/
URL of Terms of Use https://www.wrike.com/terms/

Feedback

Questions or updates to any of the information you see here? Contact us!

How the app handles data

This information has been provided by Wrike Inc. about how this app collects and stores organizational data and the control that your organization will have over the data the app collects.

Data access using Microsoft Graph

List any Microsoft Graph permissions this app requires.

This application does not use Microsoft Graph.

Data access using other Microsoft APIs

Apps and add-ins built on Microsoft 365 may use additional Microsoft APIs other than Microsoft Graph to collect or process organizational identifiable information (OII). List any Microsoft APIs other than Microsoft Graph this app uses.

API Is OII collected? What OII is Collected? Justification for collecting OII? Is OII stored? Justification for storing OII?
JavaScript API for Office Yes The add-in uses the Office.js API to integrate with the Office application. No organizational data is stored in Wrike's databases.

Non-Microsoft services used

If the app transfers or shares organizational data with non-Microsoft service, list the non-Microsoft service the app uses, what data is transferred, and include a justification for why the app needs to transfer this information.

All non-Microsoft services OII is transferred to What OII is transferred? Justification for transferring OII?
Wrike has the integrations with the following vendors which have access to some data: Marketo is email lead capturing services - only names and emails are provided to them. Outreach is Cloud-based sales engagement - only names and emails are provided to them. Salesforce CRM system - has contact information and billing (no sensitive data) information of customers. Zuora - billing and invoicing customers. There is a DPA in place for all the vendors. We use JS Office API, however we do not collect/process/store any organizational information.

Telemetry data

Does any organizational identifiable information (OII) or end-user identifiable information (EUII) appear in this application's telemetry or logs? If yes, describe what data is stored and what are the retention and removal policies?

No

Organizational controls for data stored by partner

Describe how organization's administrators can control their information in partner systems? e.g. deletion, retention, auditing, archiving, end-user policy, etc.

Wrike has a multi-tenant architecture that logically segregates customers’ data through access control based on customer metadata. This metadata is associated with the specific tenant and its access rights according to the role-based access rules within the specific Wrike account. Data is logically isolated and segregated, and access to data is only available through the application to ensure security and privacy. Security at the application level blocks tenants from accessing or modifying application data owned by another tenant. Wrike's application has extensive authentication, role-based access control, authorization, and data sharing and control mechanisms (see https://help.wrike.com/hc/en-us/articles/209603589-Access-Roles and https://help.wrike.com/hc/en-us/articles/209602969) that allow data access for authorized users only. Additionally, encryption at rest is applied for user files uploaded to Wrike servers in file storage via both web application and API; the files are automatically encrypted using AES 256-bit encryption. Furthermore, all servers are encrypted at rest using file system encryption, and moreover Wrike offers Wrike Lock add-in for encryption key managed by a customer, see https://www.wrike.com/add-on-wrike-lock/ and https://help.wrike.com/hc/en-us/articles/360012347934-Wrike-Lock. As additional layer of data security, Wrike offers Audit and Reporting functionality that allows administrators to conduct full security reviews while being able to increase visibility into what is happening in their Wrike account, more details can be found at https://help.wrike.com/hc/en-us/articles/209606309-Audit-Reports. Finally, Wrike provides functionality allowing the granular tracking of access roles to help customers fully audit existing data sharing see details at https://help.wrike.com/hc/en-us/articles/360002004534-Access-Reports. Access to customer data can be considered in two cases:

  • Access by Wrike Support team: in case of troubleshooting or verifying the issue requires Support to access to your account; that access can only be granted by you only. This is enabled by a system generated security token that you provide out of band to our Support team, allowing Support to delve deeper into solving your problem for a limited amount of time. This systemic approach ensures additional confidentiality for your data stored in Wrike.
  • Access by Wrike Operational team: Wrike Operational team is responsible to maintenance and support production environment including monitoring, patching and updating, delivery the new builds to production, etc. The access in this case is strictly prohibited from both procedural and technical aspects, and strong authorization controls including but not limited VPN, 2FA and personal certificate are in place, moreover it is monitored in details using HIDS (Host-based Intrusion Detection System) and reviewed by Wrike Operational Security team. In case of Amazon KMS (Wrike Lock functionality), the customer data is stored encrypted in Wrike database, so the data is not directly or indirectly available by Wrike Operational team, because the data can be decrypted using access to customer s Amazon KMS, that is managed and controlled by the customer only.

Human review of organizational information

Are humans involved in reviewing or analyzing any organizational identifiable information (OII) data that is collected or stored by this app?

No

Feedback

Questions or updates to any of the information you see here? Contact us!

Information from the Microsoft Cloud App Security catalog appears below.

View in a new tab

Feedback

Questions or updates to any of the information you see here? Contact us!