Applicable plans: ✅ The free plan, ✅ The complete plan, ✅ On-demand plan
This article describes Waldo's architecture and data privacy.
1 - Architecture
Waldo is a multi-tenant SaaS (Software as a Service) application. Think of Waldo as a web platform embedded directly into Microsoft Teams.
Waldo's infrastructure relies on several Microsoft Azure components:
- Microsoft Azure Active Directory
- Azure Storage
- Azure SQL
- Azure Bot Service
- Azure App Service
- Azure Event Hub
- Azure Functions
- Power BI
- Microsoft Graph
| 1 - Waldo uses Azure Entra ID to authenticate and authorize every request to their environment and Microsoft 365. |
| 2 - Waldo is fully integrated with the relevant apps in the Microsoft 365 suite, primarily Teams and Copilot, as well as Outlook. The Waldo Agent uses the Copilot stack to respond and interact with our API and is implemented as a declarative agent. |
| 3 - Each request goes to our infrastructure, which is hosted on Microsoft Azure, either to the web apps or via scheduled triggers to initiate check-ins or send notifications. |
| 4 - Azure Event Hub dispatches and processes events (for example, seat or parking changes and check-ins). External integrations, such as Exchange Calendar, can also generate events |
| 5 - Data is securely stored in isolated containers per tenant. |
| 6 - Users can visualize and analyze data via a dedicated Power BI connector. |
2 - Data
Data is hosted on Microsoft Azure within a multi-tenant environment. However, we do not store personal user information like names or email addresses.
By default, data is stored in data centers in Middenmeer (Netherlands) and Clondalkin (Ireland), which align with Microsoft 365’s European hosting policies.
We only store User IDs. The link between these IDs and user identities is managed by your own Azure Active Directory. The same applies for offices and areas.
For admin and marketing purposes, we store:
- Email, first name, and last name of the Waldo administrator
- Email, first name, and last name of the administrative contact
- Email, first name, and last name of the technical contact
ℹ️ If the WelcomR integration is enabled and configured, Waldo sends the user's badge number, email and Azure ID of the user to the WelcomR system.
3 - Encryption & Network
3.1 - Data at rest
Data is encrypted using 256-bit AES, compliant with FIPS 140-2 standards.
3.2 - Data in transit
All data in transit is encrypted. TLS 1.3 is used by default.
3.3 - Network
All communication uses HTTPS. There’s no need to open specific ports or URLs on your side.
4 - Authentication
The authentication model is based on full delegation to an external Identity Provider, namely Microsoft Entra ID as part of Microsoft 365.
User authentication is handled directly by this Identity Provider using standard protocols such as OAuth 2.0 and OpenID Connect.
Our application then consumes the access tokens issued by the provider to authorise access to resources.
5 - Consent
🧠 Curious about user consent? You can check out this article for more details.
6 - URLs and IPs
Waldo communicates through the following URLs:
Comments
0 comments
Please sign in to leave a comment.