Platform Coverage Matrix
| Platform | Data Types | Sync Method | Stage | Prerequisite |
|---|---|---|---|---|
| Microsoft 365 / Outlook | Email (sent + received) | Delta polling, 6-hr interval | Live | Azure AD, Global Admin consent |
| Gmail / Google Workspace | Email (sent + received) | Delta polling, 6-hr interval | Live | Google Workspace admin consent |
| Slack (channels) | Public + private channels | Event API / polling | Live | Slack app approval, workspace admin |
| Slack DMs | Direct messages | Event API | Live | Slack Enterprise Grid required |
| Microsoft Teams (channels) | Channel messages + video recordings | Graph API polling + webhook | Live | M365 admin consent |
| Teams DMs | Direct messages | Graph API | Live | M365 E3 or E5 license |
| Google Chat | Spaces + messages | Pub/Sub webhook | Live | Google Workspace Business Plus |
| Zoom Meetings | Video recordings | Webhook on recording complete | Live | Zoom cloud recording enabled, app approval |
| Google Meet | Video recordings | Google Drive webhook | Live | Google Workspace connector authorization |
| RingCentral | SMS + voice recordings | Webhook push (real-time) | Live | RingCentral admin, webhook subscription |
| Dialpad | SMS + voice recordings | Webhook push | Live | Dialpad admin access |
| Zoom Phone | SMS + call recordings | Webhook push | Live | Zoom Phone license, admin consent |
| OpenPhone | SMS + call recordings | Webhook push | Live | OpenPhone API key (admin-generated) |
| Enterprise Software Systems | Structured records (communications, activity logs, transactions — scope defined per system) | API integration (customer-specific) | Live | Available on select basis — contact PanOps |
Authentication Model
PanOps is registered once as an authorized third-party application on each supported platform. Customer administrators grant org-wide OAuth 2.0 consent via their standard admin console — the same flow used to approve any enterprise app integration. No PanOps software is installed in the customer environment.
OAuth tokens are stored in AWS Secrets Manager, encrypted at rest. The token manager handles automatic refresh before expiry; no manual re-authentication is required unless the admin explicitly revokes consent.
OAuth consent flow (per platform, done once): 1. Customer admin opens PanOps onboarding portal 2. Clicks "Connect [Platform]" → redirected to platform OAuth screen 3. Admin grants org-wide permission scope (read messages, read recordings, etc.) 4. Platform issues refresh token → stored in Secrets Manager (customer-scoped) 5. PanOps connector begins polling / listening for webhooks Token refresh: - Access tokens refreshed automatically 5 minutes before expiry - Refresh token rotation handled per-platform per OAuth spec - Token revocation by admin immediately terminates connector access
Email Connectors
Microsoft 365 — Graph API
The M365 connector uses the Microsoft Graph API /v1.0/users/{userId}/mailFolders/inbox/messages endpoint with delta query support. Each poll fetches only messages changed since the last sync using a delta token stored in DynamoDB. Backfill on first sync retrieves 30 days of history (configurable).
| Parameter | Value |
|---|---|
| API | Microsoft Graph API v1.0 |
| Endpoint | /users/{id}/messages/delta |
| Polling Interval | 6 hours + random jitter (0–30 min) |
| Delta Mechanism | @odata.deltaLink token stored in DynamoDB per user |
| Backfill | 30 days default; configurable per customer |
| OAuth Scope | Mail.Read (application permission, admin-consented) |
| Rate Limit Handling | HTTP 429 → read Retry-After header → exponential backoff |
Gmail — Gmail API
The Gmail connector uses the Gmail API users.messages.list with historyId-based delta sync. Each customer user's historyId is tracked in DynamoDB; only messages newer than the stored historyId are fetched on each poll.
| Parameter | Value |
|---|---|
| API | Gmail API v1 |
| Endpoint | users.history.list (delta), users.messages.get (fetch) |
| Polling Interval | 6 hours + jitter |
| Delta Mechanism | historyId stored in DynamoDB per user |
| Backfill | 30 days default |
| OAuth Scope | https://www.googleapis.com/auth/gmail.readonly |
| Rate Limit | 1B quota units/day; per-user throttling with backoff |
Messaging & Video Connectors
Slack
Slack connector uses the Slack Events API and Conversations API. Public and private channels are polled via conversations.history with cursor-based pagination. Direct messages are included for customers on Slack Enterprise Grid. Cursor positions are stored in DynamoDB. The Slack app must be approved by the workspace admin; PanOps uses bot token scopes and does not require user token scopes.
Microsoft Teams — Channels + Video
Teams channel messages are retrieved via Microsoft Graph API /teams/{teamId}/channels/{channelId}/messages/delta. Video recordings are automatically saved to the meeting organizer's OneDrive via Teams recording policy; PanOps downloads via Graph API /drives/{driveId}/items/{itemId}/content when the recording is available, then queues it for Whisper transcription.
Zoom Meetings — Video
Zoom recordings are captured via webhook. When a cloud recording is completed, Zoom pushes a recording.completed webhook event to the PanOps endpoint. The webhook payload includes download URLs with temporary auth tokens. PanOps downloads the recording to customer S3 and queues it for transcription. Cloud recording must be enabled at the Zoom account level.
Video recording data flow:
[Teams / Zoom / Google Meet recording complete]
↓
[Webhook or polling detects new recording]
↓
[PanOps downloads to customer S3]
s3://customer-bucket/recordings/{platform}/{meeting-id}/{timestamp}.mp4
↓
[S3 event → SQS transcription queue]
↓
[Whisper worker picks up job, transcribes]
↓
[Transcript written to Aurora (RLS-scoped to customer)]SMS & Voice Connectors
SMS and voice platforms use webhook-based real-time push rather than polling. When an SMS is sent/received or a call recording is completed, the platform pushes an event to PanOps's HTTPS webhook endpoint. This delivers data in near-real-time with no polling latency.
| Platform | Webhook Events | Auth | Stage |
|---|---|---|---|
| RingCentral | SMS message, call recording complete | PubNub subscription + HMAC verification | Live |
| Dialpad | SMS message, call recording URL | Webhook secret header verification | Live |
| Zoom Phone | SMS received, call recording complete | Zoom webhook verification token | Live |
| OpenPhone | SMS message, call recording | API key (admin-generated in OpenPhone dashboard) | Live |
Connector Framework
All connectors share a common framework that handles auth, scheduling, state management, error handling, and database writes.
| Component | Implementation | Details |
|---|---|---|
| OAuth Token Manager | AWS Secrets Manager + Lambda | Tokens refreshed automatically before expiry; rotation logged |
| Polling Scheduler | EventBridge Scheduler + Lambda | 6-hr interval + per-connector random jitter |
| Delta State Store | DynamoDB | Cursor positions (delta tokens, historyIds) per connector per user |
| Aurora Writer | Lambda → Aurora | Normalized schema, RLS-scoped to customer tenant |
| Rate Limiting | In-process + SQS throttling | HTTP 429 → Retry-After header; exponential backoff; per-platform quota tracking |
| Error Handling | Circuit breaker + SQS DLQ | Failed jobs → DLQ after 3 retries; circuit opens after consecutive failures |
| Health Status | Aurora + Admin UI | Green / Yellow / Red; stale alert if no successful poll >12 hrs |
Employee Enrollment & Consent
Employee participation is consent-driven. PanOps generates a unique mobile-optimized web consent page per employee. The enrollment link is sent by the customer admin (typically via email or Slack). On the page, the employee confirms their identity (email as primary key, display name as secondary), reviews the channels being monitored, and provides explicit consent.
- Consent is recorded per employee per channel in Aurora (tamper-proof log)
- Employees can revoke consent at any time via a link in their enrollment page
- Identity discrepancies (name mismatches across platforms) are resolved at enrollment
- Enrollment status visible in Admin panel per employee × channel matrix
- Admin can re-send enrollment link, add employees, or remove employees at any time
← Back to overview