Requesting permission to access Microsoft 365
When you first install the app, it will ask you to Sign-in to Microsoft 365:

Permissions requested
When you press the “Sign-in” button, a new window appears, and once you’ve signed-in to Microsoft 365, you will see that the app is requesting various permissions:

The app has been developed by David Simpson Apps, a trading name of Concise Web Design Limited. We are an authorised Microsoft Partner.
The various permissions, and why they are required:
Maintain access to data you have given it access to
We store an access token with monday.com’s hosted “monday-code” secure storage in the monday.com infrastructure so that you can use the app can perform operations on your files.
Send mail as you
This permission is solely used to request access to files that other users need to share with you for access in monday.com.
Sign you in and read your profile
So that your details can be displayed in monday.com, and you can be contacted if you have not shared file access to others in Microsoft 365
Have full access to all files you have access to
So that you can perform operations on your files from within monday.com
Edit or delete items in all site collections
So that you can perform operations on your files from within monday.com
Although our app performs all the logic, we do not access your data, as all compute activity is performed on monday.com infrastructure using monday code, a platform for hosting apps on a secure, reliable, and scalable infrastructure.
The monday code platform is SOC 2 and ISO 27001 certified, and GDPR & HIPAA compliant.
Accept button
To continue using the app, press the “Accept” button.
Approval Requested
Some companies and organisations have an additional step requiring that you request permissions that require administrative consent.
In these cases, before you can use the app, your company’s Microsoft 365 admin will need to approve use of the app or some other internal approvals workflow within your company will need to be performed. Only then can you use the app.
If you require admin approval, you will see the following screen after entering your user credentials in the Microsoft 365 sign-in screen:

Storage of user data
→ What data does the app store?
For the Share Link Embed feature: We store no data. The URL of the embedded files are stored within your own monday.com instance.
For all other features: We store access tokens within monday.com’s infrastructure using their secure storage mechanisms. We also store limited metadata related to the file or folder within your own monday.com instance.
Where are user access tokens saved?
Our app uses the Secure Storage feature of monday code. This is based on at Google Cloud Platform (GCP) hosted version of HashiCorp’s Vault which is maintained by monday.com.
How can we delete user access tokens?
Access tokens stored within monday.com’s infrastructure can all be deleted at any time by individual users or in bulk by an admin user.
See Revoking access to Microsoft 365.
If you have already uninstalled the app, you will need to reinstall it to delete the access tokens.
What is monday code?
monday code is a platform developed by monday.com to streamline the deployment and management of applications built on their ecosystem. Unlike traditional hosting solutions, monday code provides developers with a fully managed environment, eliminating the need for self-hosting while maintaining security and compliance standards.
Technical architecture
monday code leverages a hybrid cloud architecture:
Management layer: Hosted on AWS, this layer handles app metadata and configuration.
Runtime layer: Built on Google Cloud Platform (GCP), it handles app deployment and execution using services like Cloud Run, Cloud Build, and Artifact Registry.
This separation ensures isolation between monday.com's core infrastructure and third-party apps while benefiting from GCP’s scalability.
What trust signals does monday code have?
The monday code platform is SOC 2 and ISO 27001 certified, and GDPR & HIPAA compliant.