Team sharing in Notate has become a popular feature. Sometimes we get requests from Network or IT admins about how it works and the security of the feature.
The first thing to be aware of is that all of the shared user data including notes and tasks remains in your organization behind the firewall on the Exchange server. Access to the shared data is regulated by access control lists maintained by the Exchange server. When a user chooses to share a notebook for example, the sub-folder under the user's Exchange notes folder is updated to allow the specified additional users to have the read, and write privileges to the specific folder. The users are specifically NOT granted the privilege to view any other parent folders.
Because collaborators don't have access to the parent folders they don't have a way to browse for shared folders. The unique shared folder id must be passed to the collaborator by some means. In Notate this is done by using an out of bounds channel, the Notate cloud server. When a Notate user shares a Notebook with a list of users, the application sends the Notate cloud server the list of users along with a unique id number of the shared folder. When a user starts Notate, it requests from the cloud server to be given a list of folder ids that have been shared with it. All user data remains on Exchange behind the firewall and authentication and access control to this data is governed by Exchange.
The Notate cloud server is hosted on AWS and connections to it are made over SSL. Most importantly, user data other than the email address of the share recipient is not stored in the cloud.