Security and IT: Microsoft PowerPoint sync

Our software integrates with OneDrive and SharePoint using a Microsoft-verified OAuth application, which confirms our identity as a trusted publisher. We utilize the Microsoft Graph for all interactions, ensuring we only access data that the user has explicitly permitted.

The user is prompted to log in to Microsoft OneDrive / SharePoint to select a file / presentation to be accessed and imported by Kahoot.  

• Permissions (Scopes)
  • Files.Read.All
    Grants read access to all files the user has permission to view.
  • User.Read
    Allows our software to retrieve the user’s basic profile information (e.g., name).

All operations occur under the user’s own Microsoft credentials, meaning our software does not gain access to any content beyond what the user can already view.  Furthermore, our software will only read the file(s) that the user has explicitly selected to import in the picker UI.  

Data We Store and Where It Is Stored

1. Metadata

• When a user syncs a document, we store select information:
  • Microsoft-specific User ID
  • Microsoft-specific Document ID
  • Document name and type
  • Last updated timestamp (from Microsoft)
  • Last synced timestamp
  • A slide-by-slide hash for PowerPoint (PPTX) files (to detect changes)
• This metadata is hosted in European data centers on Google Cloud.

2. Slide Images

• Our software generates images of each slide (or page).
• These images are stored in a secure Amazon S3 bucket located in Europe and delivered through a Content Delivery Network (CDN).

3. Document Conversion

• We partner with a third-party service, CloudConvert, to convert documents into images.
• CloudConvert automatically deletes the source file after 24 hours.

4. Data Retention

• When a user removes a document from our software, the associated metadata and any generated images remain unless the user—or their organization—requests complete deletion.
• All data transfers (e.g., to Microsoft or to CloudConvert) occur over encrypted (HTTPS) connections.

Revoking Access and Token Expiry

If an administrator revokes a user’s permissions to access OneDrive/SharePoint, the OAuth token expires within one hour, however the permission change should be effective immediately on Microsoft’s servers. After this Kahoot! will not have access to the presentation or be able to update the kahoot with updated information from the presentation.