Insides - Management - Compliance
While there exist many excellent blog posts, interviews and videos about Delve and the Office Graph from experts around the world, this post will be about Insides, Management, Compliance. We will also look at data security and data privacy aspects and concerns, not only from a technical perspective but also with regards to the new EU General Data Protection Regulation (EU Datenschutzgrundverordnung)
My experience with customers is that they need to understand more what the Office Graph is doing and how the results Delve is showing are build. I use in my sessions or in discussions with customers this picture from a Microsoft deck to explain a little bit the underlying fabric:
The Active Content Cache
- Designed to enable near-real time updates at conversational speed (measured in seconds)
- Contains most recently active items
- Not designed to contain the full Tenant Graph, but rather the most likely to be relevant nodes and edges.
- Every object has an expiration policy associated with it.
Tenant Graph Store
- The full graph of all the nodes and edges within a tenant.
- Optimized for analytics, not speed
- Indexed to efficiently locate nodes and used to push nodes and edges into the Active Content Cache.
- Because optimization decisions the latency of moving nodes and edges into the Active Content Cache cannot be guaranteed to be “conversational.”
- Directs the incoming edits to the Active Content Cache and Tenant Graph Store
- Updates external applications regarding these edits
- Powers the Conversational Experience
- Specific to each workload, this is the piece responsible for reviewing local data and updating the Graph through the REST API.
- Only changes to the Active Content Cache or to Tenant Analytics are pushed by the API
I wrote a blogpost about how to switch to an opt-in like experience instead of the opt-out version. To be true this is only a workaround but customers like it. It gives them the changes to start with only some users in Delve to get more familiar with it. Opt-in as a default for Delve
If you don’t want a specific document to show up in Delve, you can create a HideFromDelve site column of the type Yes/No. This site column creates a new crawled property, ows_HideFromDelve, which is automatically mapped to the HideFromDelve managed property.
We had an internal Yammer discussion with Mark Kashman about Delve Security & Privacy. Mark wrote the following statement and I asked him if this is good for sharing. Marks answer was: “Certainly OK to share the copy/paste'able section I wrote in the initial post of this thread.” So I will share this with you:
Delve is covered under the Office 365 Trust Center and meets all of the requirements of our highest level of compliance which Microsoft refers to as “Tier D” compliance, e.g., ISO 27001 and 27018 certification, SOC 1 and SOC 2 compliance. Delve is also licensed under the Microsoft standard Online Services Terms which include commitments such as the EU Model Clauses. This, too, applies to the Microsoft Graph - the underlying intelligent layer that uses advanced analytics to provide relevant, personalized insights via Delve and other user interface experiences throughout Office 365.
Office 365 customers own their Microsoft Graph data, which is stored in their partition of the SharePoint Online and Exchange Online environments. It, too, has the same data protection and security as other customer data stored in the same cloud services.
For users, Delve never changes any permissions on content or other information. Users only discover what they already have permission to see. Only users can see their private documents in Delve, unless they decide and take action to share them. Other people can't see each other's private activities, such as what documents they've read, what emails they've sent and received, or what Skype for Business conversations they've been in. Other people can see when others modify a document, but only if they have access to the same document. What you see when you open Delve is personalized to that user, and no one else sees exactly the same thing as they do.
It is possible to opt out of Delve and the Microsoft Graph at both the tenant level and the user level. Once opted out, users will not see the Delve tile in the Office 365 app launcher, and various services that surface aspects of the Microsoft Graph to provide intelligence throughout Office 365 will simply not appear, or revert back to previous non-Graph-based methods - i.e. search-based vs graph-based. One example, if you opt out, you would not see the new "Discover" tab within OneDrive for Business - yet the core of OneDrive for Business remains intact.
To learn more, please review these two important Delve security and privacy support articles; the first for admins and second for users: "Office Delve for Office 365 admins", "Are my documents safe in Office Delve?".