cloak.business

Cloud Storage Addins

Cloak.Business addins connect your cloud storage accounts to the PII anonymization pipeline. Browse files directly from OneDrive, SharePoint, Google Drive, Dropbox, or Nextcloud — without downloading anything to your computer first.

What Are Addins?#

Addins are optional integrations that extend cloak.business with new capabilities. Cloud storage addins let you:

  • Browse files in your cloud storage directly from the cloak.business interface
  • Select one or more files to analyze
  • Detect personally identifiable information (PII)
  • Anonymize detected PII with your chosen operators
  • Save the anonymized result back to your cloud storage, or download it locally

All cloud provider API calls are server-side. Your access tokens are stored encrypted (AES-256-GCM) in the database. The browser never contacts Google, Microsoft, Dropbox, or Nextcloud directly.

Available Addins#

AddinAuth MethodFile Sources
Microsoft 365OAuth2 + PKCEOneDrive Personal, OneDrive for Business, SharePoint
Google DriveOAuth2 + PKCEMy Drive, Shared Drives
DropboxOAuth2 + PKCEDropbox Personal, Business
NextcloudLogin Flow v2Any self-hosted Nextcloud server

Activating an Addin#

  1. Go to App → Addins in the navigation
  2. Find the addin tab (Microsoft 365, Google Drive, Dropbox, or Nextcloud)
  3. Click Activate — this creates your personal addin record
  4. The addin wizard will open automatically

Addins are per-user. Each user activates and connects addins independently.

Connecting Your Account#

OAuth2 Providers (Microsoft 365, Google Drive, Dropbox)#

  1. Click Sign in with [Provider]
  2. A popup opens — sign in and grant the requested permissions
  3. The popup closes automatically when connected
  4. Your account name and email appear in the Connect step

Permissions requested:

  • Microsoft 365: Files.Read.All, Files.ReadWrite.All, Sites.Read.All, User.Read
  • Google Drive: drive.readonly, drive.file, profile, email
  • Dropbox: files.metadata.read, files.content.read, files.content.write, account_info.read

Nextcloud (Login Flow v2)#

  1. Enter your Nextcloud server URL (must start with https://)
  2. Click Connect to Nextcloud — a Nextcloud login page opens in a popup
  3. Sign in to your Nextcloud account in the popup
  4. Approve the connection request
  5. The popup closes and you are connected

No client ID or secret is needed. Nextcloud generates a per-app password automatically.

The 6-Step Wizard#

Every cloud storage addin follows the same workflow:

StepDescription
1. ConnectSign in to your cloud storage account
2. PresetChoose entity types, confidence threshold, and optional reversible encryption
3. BrowseNavigate folders and select files to process
4. AnalyzeExtract text and detect PII with Presidio NLP
5. ReviewReview detected entities and choose anonymization operators
6. DoneDownload anonymized files or save back to cloud storage

Microsoft 365 has an additional Source step (step 3) to choose between OneDrive and SharePoint.

Selecting Files#

In the Browse step:

  • Click any folder to navigate into it
  • Use breadcrumbs at the top to go back
  • Check individual files to add them to your selection
  • Click Select All to select all supported files in the current folder
  • Click Clear to deselect all files in the current folder
  • Use the × button on any selected file badge to remove it from the selection (regardless of which folder you are in)

Supported file types: .docx, .xlsx, .pdf, .pptx, .txt, .csv, .json, .xml, .md, .html, .png, .jpg, .jpeg, .bmp, .tiff

Unsupported file types are shown greyed out with no checkbox.

Reversible Anonymization#

In the Preset step, enable Reversible anonymization to encrypt all detected entities instead of replacing them. This lets you restore the original values later using the same encryption key.

  1. Toggle Reversible anonymization on
  2. Select a saved encryption key from the dropdown, or enter a 16/24/32-character AES key manually
  3. Proceed through the wizard normally
  4. In the Done step, a Decrypt section appears — paste your anonymized text and click Decrypt to restore the originals

Important: Keep your encryption key safe. There is no way to recover the original values without it.

Image Files#

Image files (PNG, JPG, JPEG, BMP, TIFF) go through a separate analysis pipeline:

  1. The image is sent to the Presidio image redaction service
  2. PII is detected using OCR (Tesseract) and NLP
  3. A redacted version is generated with PII covered by colored boxes
  4. You can download or save the redacted image

Note: GIF and WebP are not supported — Presidio image service only accepts PNG, JPEG, BMP, and TIFF.

Saving Results#

In the Done step, for each anonymized file you can:

  • Download — save the anonymized .txt file to your computer
  • Save to Cloud — upload the anonymized file back to the same folder in your cloud storage (adds _anonymized suffix to the filename)

Both options are available. You can download one file and save another to cloud storage in the same session.

Token Costs#

Text file anonymization: standard token cost per entity (same as the text anonymizer). Image file redaction: standard token cost per entity detected in the image.

Security Model#

  • No browser→provider calls: All API calls to Microsoft Graph, Google Drive API, Dropbox API, and WebDAV go through the cloak.business server
  • Encrypted token storage: Access tokens and refresh tokens stored AES-256-GCM encrypted in the database, per-user
  • Token auto-refresh: Access tokens are silently refreshed 5 minutes before expiry using the stored refresh token
  • SSRF protection: All provider API URLs are validated against allowlists before use
  • Nextcloud SSRF: User-supplied server URLs are validated — private IP ranges (10.x, 192.168.x, 172.16-31.x, 127.x, 169.254.x) are rejected

Session Persistence#

Your connection to each cloud provider persists across logout/login cycles. When you log back into cloak.business, your cloud accounts remain connected — you do not need to sign in again unless:

  • You explicitly disconnected
  • The provider's refresh token expired (Microsoft: 90 days of inactivity; Google: 6 months; Dropbox: indefinite while active; Nextcloud: admin-controlled)
  • An admin revoked the OAuth app's access

Troubleshooting#

Popup was blocked Allow popups for cloak.business in your browser settings and try again.

"Session expired" error Your refresh token has expired. Click the Connect step and sign in again.

File shows "Error" in Analyze step

  • The file may be corrupted or in an unsupported format
  • Very large files (>50 MB) may time out — try smaller files first
  • Password-protected files cannot be extracted

Nextcloud: "SSRF protection" error Your Nextcloud server URL resolves to a private IP address. A public HTTPS URL is required.

Nextcloud: Connection timed out The approval window was open for more than 5 minutes. Click Connect again and approve within 5 minutes.

No PII Found on a file you know contains PII Check the language setting in the Preset step. If your document is in German, select de; for French, select fr. The default is en (English).

Disconnecting#

To disconnect a cloud account:

  1. Open the addin panel
  2. Click Sign out (OAuth providers) or Disconnect (Nextcloud)

This clears your access token and refresh token. The addin remains activated — reconnect at any time.

To fully deactivate an addin, click Deactivate in the addin tab. This removes your user record for that addin.