We have built all our Add-Ins (including the Template Chooser) with a solid and enterprise prove security architecture. We have chosen an architecture that follows these simple principals.
We belief that it is not acceptable that customer data ever gets transferred to any of our officeatwork servers and that we in general limit the data we do have to transfer to our servers to the bear minimum possible.
We do not introduce a new permissions or security schema but always use existing permission and security schemas in place offered by the data providers like Office 365, allowing our Add-Ins to only access data the user using the Add-In has already been approved for.
All data transfer is encrypted.
Any data we store is encrypted.
As our Add-Ins connect to existing data providers, they automatically inherit the security settings defined by the specific data providers. In case of for instance Office 365, our Add-Ins will also support two factor authentication, if so defined within the customers Office 365 Tenant (Azure AD).
Another hot security topic is what access permissions are being executed when user data or company data (IP) is being processed by the Add-In. Following our security principles our Add-Ins actually do not have their own independent data access definitions. What the Add-In can access is always governed by the data provider. In case of Office 365 this would be the data access schema provided by Office 365.
So in the case of Office 365 the user will only see the data within the Add-In that the user has access to within Office 365. The data is always accessed in the scope of the user signed in to the officeatwork Add-In using the Office 365 user credentials.
Every time the Add-In wants/needs access to specific data in Office 365 the first time it needs to ask the user for the permission to do that. So if the Add-In wants to read data from SharePoint online it will ask (for the first time only) the user if it is allowed to access the user's data in SharePoint online. The user can consent to this request for access. This consent experience is provided by the data source - in this case by Office 365.
If you are a larger organization you might find this annoying, that all users have to individually consent to the Add-In accessing the user's data for each data resource in Office 365. That is why we introduced an Admin Pre-Consent flow within all our Add-Ins. That will allow an Office 365 Admin to consent in the name of each user that the add-in might access the data of the individually signed in users. In some cases that flow will also open up access to data the user can not consent to as a user.