Privacy and Security FAQ - Implicit for Outlook IO

1. Data Processing
2. Email Processing
3. Data Storage & Residency
4. Data Protection & Compliance
5. Security & Encryption

1. Data Processing

(a) Question: Clarify what data is transmitted, processed or stored on Implicit’s own infrastructure?

Answer: The only data that is sent to, processed by and stored on Implicit’s infrastructure is licensing-related data that includes: region (UK/AU), company name, user name, email address, intelliflo office tenant/user IDs, Outlook email address, software version, install/update date and times, and IP address.

(b) Question: How does this data reach the Implicit’s servers?

Answer:

(1) During user sign-up on the intelliflo store, the following data is sent from the intelliflo store directly to the Implicit licensing servers: region (UK/AU), company name, user name, email address, intelliflo office tenant/user IDs.

(2) During periodic license verification, the following additional data is sent from the Implicit software (running on users’ desktops) to Implicit licensing servers: Outlook email address, software version, install/update date and times, IP address.

(3) Upon sending a support ticket to Implicit the following data is submitted: user name, company name, email, ticket information.

(c) Question: Do you use any third-party services as sub-processors?

Answer: Yes, Implicit uses Amazon AWS as a third-party hosting service.

(d) Question: What data is NOT transmitted to Implicit?

Answer: Data NOT transmitted to Implicit includes:

Intelliflo office data: Clients, prospects, activities, portfolio, service cases/ plans / tasks, communication, email, personal information data (other than advisors’ licensing information above). Such data is processed locally on end-users’ desktops between intelliflo office, Microsoft 365 and Outlook and is never transmitted to or stored by Implicit.

Email Messages: Communicated directly between Microsoft 365 and advisors’ desktops (Outlook). Archived Emails are retrieved from Microsoft 365 and stored in intelliflo office by the Implicit for Outlook on the desktops.

(e) Question: Can you provide a diagram of the data flow?

Answer: The following diagram shows the data flow between the four entities:

Intelliflo office
Microsoft 365
Users Outlook with Implicit for Outlook software installed
Implicit licensing servers

Data Sent to Implicit:

	Licensing-Related data – Sent upon end-user sign-up from the intelliflo store to the Implicit licensing servers: region (UK/AU), company name, user name, email address, intelliflo office tenant/user IDs.
	License verification – Additional data sent periodically from Implicit for Outlook software: Outlook email address, software version, install/update date and times, IP address.

Data NOT Sent to Implicit:

Intelliflo office data: Clients, prospects, activities, portfolio, service cases/ plans / tasks, communication, email, personal information data (other than advisors’ licensing information above).

This data is processed locally on end-users’ desktops between intelliflo office, Microsoft 365 and Outlook and is never transmitted to or stored by Implicit.

Email Messages: Communicated directly between Microsoft 365 and advisors’ desktops. Archived emails are retrieved from Microsoft 365 and stored in intelliflo office by the Implicit for Outlook on the desktops.

2. Email Processing

(a) Question: Does Implicit have any access to the advisors’ emails?

Answer: No. Implicit does not have any access to advisors’ emails. Emails are retrieved from Microsoft 365 by the Implicit software that is running on users’ desktops and archived from the desktops directly to intelliflo office. Emails data is never sent to Implicit.

(b) Question: At what point is email data processed outside of Microsoft 365 / Exchange?

Answer: When users click on ‘Archive an email’ on the Outlook side-panel, the Implicit software running on users’ desktops retrieves the email (including attachments) and archives it directly to intelliflo office. A similar process takes place when auto-email archiving is enabled: the Implicit software detects that an email has been received or sent from/to intelliflo office clients/leads, it retrieves the email and archives it directly from the desktop to intelliflo office.

(c) Question: Are emails stored or cached on the Implicit servers?

Answer: No. Not even temporarily.

3. Data Storage & Residency

(a) Question: Does any data leave the UK or EEA

Answer: Yes.

(b) Question: Where does the stored data reside geographically?

Answer: Licensing data is currently hosted on our licensing servers on Amazon AWS in US region.

(c) Question: Details of data retention policies (including logs, archives, and temporary storage)

Answer: Please see our Privacy Policy section 2.9 (General) and in UK-GDPR Schedule A section 7.

4. Data Protection & Compliance

(a) Question: What is Implicit’s role as data processor?

Answer:

In respect of any personal data (licensing-related data described above) – This data is shared with Implicit by intelliflo (as an independent controller) upon end-users’ sign-up on the intelliflo store; Implicit and intelliflo act as independent controllers.

In respect of any periodic license-verification and support data – Those are collected by Implicit directly from the end-users; Implicit is the sole controller of this data.

Note: This data is not received from, or processed on behalf of, the advisor firm. Therefore, Implicit is not a processor or sub-processor of the advisor firm in respect of any personal data.

(b) Question: Are you using any sub-processors

Answer: Yes, Implicit uses Amazon AWS as sub-processor (Cloud hosting)

(c) Question: is Data Processing Agreement required?

Answer: No, a Data Processing Agreement (“DPA’) under Article 28 UK GDPR is not required between Implicit and the advisor firm for the following reasons:

The personal data that Implicit holds is not received from, or processed on behalf of, the advisor firm. Upon end-users’ sign-up, data is shared with Implicit by intelliflo (as an independent controller). Periodic license-verification and support data are collected by Implicit directly from the end-user.
All other personal data that the advisor firm and its end-users handle — Clients, prospects, activities, portfolio, service cases/ plans / tasks, communication, email, personal information data (other than advisors’ licensing information specified above) — is processed locally on end-users’ desktops between intelliflo office, Microsoft 365 and Outlook, and is never transmitted to, accessed by or stored on Implicit’s systems. Implicit therefore has no controller-to-processor relationship with the advisor firm in respect of any personal data, and Article 28 does not apply.

(d) Question: Can you provide information on your GDPR compliance approach, including data subject rights and breach notification procedures

Answer: Please see our Privacy Policy schedule A for UK GDPR.

5. Security & Encryption

(a) Question: What encryption standards are used for data in transit and at rest

Answer: HTTPS / Transport Layer Security (TLS) 1.2 or higher in transit and AES-256 (or equivalent) on Amazon AWS at rest.

(b) Question: What authentication and access controls are used on the Implicit Licensing servers?

Answer: Implicit utilizes multi-factor authentication and role-based access control for administrative access to the licensing portal.