The following describes the main usage scenarios and how the data flows between the different actors like the user, the Add-Ins and other connected services.
When the Add-In gets loaded it uses encrypted communications via an high availability Azure CDN service. Loading the Add-In requires no User nor Customer Data.
To sign in to the officeatwork Add-Ins you can use either your Microsoft personal or organizational account. The flow starts with the user signing in using Microsoft's sign in flow. After a successful identification by Microsoft a User Access Token is collected by a trusted officeatwork server side Azure function that then hands the Access Token to the Add-In combined with tenant settings data stored in an officeatwork controlled globally available Azure cosmos DB. This flow takes place without any connection to the customer's data.
While the user is interacting with the Add-Ins data might be required. The access to that data is enabled via the User Access Token allowing the Add-In to read and write data in the name of the User directly without having to bypass any officeatwork server services.