Here are some essentials around 24Files and security:
24Files has been built 100% on Salesforce. It integrates with SharePoint via APIs, none of your files are stored on any 24Files or third party server.
24Files does not store any of your users' SharePoint credentials. 24Flow uses an OAuth authorization flow and users are redirected to SharePoint to login.
As 24Files is on the AppExchange, its code has been reviewed by the Salesforce team from a security perspective. 24Files has passed the Salesforce Security Review.
As 24Files has been built on Salesforce, it adopts the Salesforce security practices in terms of permission sets: we have defined multiple roles: admin, user, community user.
In order for 24Files to successfully execute API calls on your SharePoint, the app requires certain SharePoint permissions as described in the AZURE add-in section. These permission have been limited to the strict minimum required for the app the function properly.
24Files requires the AllSites.Write permission on SharePoint: The Write permission on SharePoint is equivalent to a Contribute permission, i.e. you can add content to libraries but not create any new libraries or make changes to the structure of existing libraries.