Data protection questions regarding the backend system https://enovation.ie/msteams

[abias]

I have raised the following inquiry directly with the Enovation support team, but have been asked to post it in the public here so that it can be answered in the public.

---

Basically, this plugin works really fine, thanks for creating and publishing it! We have just some questions regarding data protection as the plugin relies on a backend app which you are hosting on https://enovation.ie/msteams. Reading through the docs, I have understood that this backend app is a fork of an official MS solution for self-hosting and you are providing it as an easy-to-use solution for all Moodle administrators. Thanks for that as well.

I have also seen that we would be able to host this app ourselves which just comes with some effort for setup and maintenance. We would like to avoid this effort as long as possible, but as some of our clients are really data-protection-aware, these questions have arisen now:

1. Can you tell me or point me to some documenation which data (especially personal data about the Moodle users using the plugin and the Moodle instance running the plugin) is submitted from the Moodle instance to your backend app? Of course, I can have a look at the code, but maybe you have a ready-to-paste answer already for me at hand.

2. Are you offering a data processing agreement for the usage of this backend app which we could sign, similar to how Moodle HQ offers data processing agreements for the Moodle Mobile App? This would help us to tell our customers that their data is save.

3. Is there any data stored persistently in the backend app or is it just a broker which passes data back and forth? Again, I can have a look at the code, but maybe you have a ready-to-paste answer already for me at hand.

4. If we start with your backend app and switch to a self-hosted instance sometime in the future, will this trigger any hickups for existing meetings?

5. Isn't there any possibility to bundle this backend app into the Moodle plugin codebase?

I would appreciate your answer and would like to thank for your effort in advance!

Cheers, Alex

[weilai-irl]

Hi @abias,

Before answering the questions, let me highlight a few facts about the Teams Meetings app.

1. The code of the app can be found at https://github.com/enovation/msteams-app-lms-meetings, and it's a fork of https://github.com/OfficeDev/msteams-meetings-template.
2. The Teams Meeting app deployed at https://enovation.ie/msteams will be removed soon. It has been moved to https://enomsteams.z16.web.core.windows.net/, and this value has been set to the default setting in the latest version of the atto and tiny editor plugins. Please update the settings if your site is still pointing to https://enovation.ie/msteams.
3. At high level, this is how the Moodle editor plugins interact with the Teams Meeting app and the Microsoft: When a Moodle user clicks the Teams Meeting button in the editor, the browser will create an iframe with URL to the Teams Meetings app, with the following additional GET parameters:
   • url: encoded Moodle URL.
   • locale: self explanatory.
   • msession: Moodle session key.
   • editor: either "atto" or "tiny", depending on which Moodle editor plugin is used. The Teams Meeting app then checks for user login, and shows the Microsoft login page if needed. It then displays a page to allow creating meetings. Once a meeting is created, the Teams Meeting app will redirect the iframe to a return URL, which is a URL in Moodle editor plugins constructed using the "url" parameter passed in. Different return URLs are used for atto or tiny editors. The URL contains the following GET parameters:
   • link: Link to the created meeting.
   • title: Title of the created meeting.
   • preview: The preview of the message associated with the event.
   • session: The Moodle session key received in the "msession" parameter. Used for verification. The Moodle editor plugins have facilities to process requests made to the return URLs, and will then save the links in the DB, and add the corresponding contents to the editor contents.
4. It's worth highlighting that the meetings will be created using the Microsoft Teams license of the logged in user, and not using the license of the Teams Meetings app. Also the meetings created will not show in the users Teams app. According to https://github.com/OfficeDev/msteams-meetings-template/blob/master/README.md, it's possible to modify the app to add the created meeting to the Teams using additional Graph API calls, but this process is per tenant (i.e. you will need to add additional logic to achieve it, and it will require more permissions to the the Azure app for the Teams Meeting app), therefore it's infeasible to support this in a generic app provided by Enovation.

So to answer the questions:

1. There is no existing document on which data are submitted from Moodle to the Teams Meeting app. You can check https://github.com/OfficeDev/msteams-meetings-template/blob/master/SECURITY.md but it doesn't seem to provide a lot of information. The data sent from Moodle to the Teams Meeting app are described at the steps above.
2. No, there is no data processing agreement offered for the Teams Meeting app.
3. No, there are no data stored in the Teams Meeting app. The app doesn't know who have been using the app, and what meetings have been created from it.
4. No, you can switch meetings app at any time.
5. I'm afraid this is not possible. The app requires a separate Azure app, and a complete different and separate deployment process. It's infeasible to bundle this as part of the Moodle plugins.

Regards, Lai

[abias]

Hi Lai,

thank you very much for taking the time to compose this very useful information!

Alex