Robin connects to Exchange using Microsoft's proprietary secure authentication protocol called "NTLM". The NTLM protocol allows us to store Exchange authentication credentials in a one-way encrypted fashion (called "hashing"), so that a user's Exchange password is never stored in raw plain-text. You can read more about how to set NTLM up in Exchange here.
Robin will connect to your on-premise Exchange service through the following IP addresses. Add them to your incoming connection whitelist to make sure the connection goes through successfully.
You can also match user agents containing "RobinAPI", which will appear similar to
For outgoing connections, you can whitelist against our DNS (e.g. *.robinpowered.com) which is signed via DNSSEC.
DNSSEC removes the need for specific IP address whitelist since the DNS record itself is secured and can be validated similar to an SSL certificate. You can confirm using this tool from Verisign.
What kind of data is synced?
Once an Exchange service account is connected, the Robin cloud service will connect to your designated Exchange service and begin to synchronize its data with Robin. In doing so, a subset of your calendar events and their details will be saved to the Robin system. These details include event titles, descriptions, start and end dates/times, the specified location, and the list of attendees. We do not sync attachments.
Robin will then keep this data in sync with your Exchange service. Events booked through Robin will similarly synchronize the data back to your Exchange service, so that the Robin and connected Exchange services are 1-to-1.
"How can I control which field sync?"
Robin syncs the standard fields per iCal spec to ensure interoperability with most calendar systems. If you do not want Robin to have access to certain fields (e.g. description, title, invitees) you can control this within Exchange. EWS allows you to strip out fields before sending them to third parties via roles. You can see an example of stripping event fields in EWS here. Keep in mind this approach may limit your ability to access certain event features (e.g. Changing the meeting title, invitees) inside Robin since the information will be inaccessible.
"Can Robin filter my calendar data before syncing instead?"
Robin will store the events as received, and offers a few ways to control how much of the information appear visually once in the employee apps. If you have security controls requiring certain fields to be omitted entirely from the sync process, the most secure method to need to handle this at the source -- Exchange EWS, not at the application layer.
How is connection information stored?
Robin accounts themselves never store any plain-text password information. Your Robin account password is similarly stored in a one-way encrypted fashion at time of registration by running your password through an industry-high-standard crypto-secure hashing algorithm called "bcrypt" with a crypto-secure randomly generated "salt".
Finally, Robin mobile and web applications always connect to the Robin web service through an encrypted, secure connection (SSL/TLS HTTPS) so that data in transfer between your phone or browser is not sent or received in plain-text. This prevents public or WiFi network "sniffers" from intercepting data in transit.
Robin is a hosted cloud service does not require any on-premise installation. We have completed multiple third parties security audits. If you'd like a summary of these reports, your account representative can provide further details.