Trust & Security

Trust Center

Everything you need to approve IdentityOps during a security review. Built for CISOs, procurement, and vendor risk teams.

Security Posture Summary

Tenant access:Read-only delegated
Data stored:Metadata only
AI model:None (deterministic templates)
Tenant isolation:Database-level scoping
Offboarding:30-day restore, then permanent purge
Vulnerability reporting:security@identityops.dev

Guarantees & Boundaries

What IdentityOps commits to, and what it is architecturally unable to do.

We guarantee
Read-only Microsoft Graph permissions — zero write scopes
Delegated access only — runs as the signed-in admin, not a background service
No passwords, secrets, certificates, or tokens from your tenant are ever stored
All AI is deterministic template assembly — no LLM, no external API calls
Tenant data is isolated at the database level with foreign key scoping
Consent is revocable instantly from the Entra Admin Center
We cannot
Cannot modify, create, or delete any object in your tenant
Cannot access other tenants' data — no API path accepts a tenant ID as input
Cannot make autonomous decisions — AI explains risk, it does not enforce policy
Cannot retain data beyond 30 days after cancellation
Cannot send your data to external services, advertisers, or training pipelines
Cannot bypass Microsoft Graph permission enforcement — even with a bug

Threat Model

How IdentityOps mitigates the risks your security team evaluates.

Credential compromise
IdentityOps never stores tenant credentials. Access tokens are encrypted at rest (AES-256-GCM) and never leave the server. Sessions rotate every 15 minutes with a 24-hour absolute max.
Token leakage
Only the session ID is stored in a cookie (HttpOnly, Secure, SameSite). Refresh tokens are server-side only, encrypted, and scoped to the specific tenant. No tokens are exposed to client-side code.
Insider threat
Internal admin panel uses a completely separate authentication system. All admin actions are logged in an immutable audit trail. Customer data access is scoped per-tenant with no override path.
Infrastructure breach
Hosted on Vercel (edge runtime) with data in Neon PostgreSQL. TLS 1.2+ for all communication. No self-hosted infrastructure. All child records cascade-delete with the tenant — no orphaned data.
Supply chain / dependency
No external AI services. No third-party analytics or tracking SDKs processing tenant data. Stripe handles billing only — no tenant metadata is shared with payment processors.

Security Architecture at a Glance

Five pillars. Each answers a question your security team will ask.

1
Access Control
What permissions do you need?
Three read-only delegated Microsoft Graph permissions. No background service, no agents, no scripts installed in your environment. Even if there were a bug, Microsoft would block any write operation at the permission level.
2
Data Protection
What data do you store?
App metadata, credential expiry dates, and owner info. Never stores passwords, secrets, or certificates. Never sold, shared, or used for training.
3
Tenant Boundaries
Can one tenant see another?
Every query scoped to the authenticated tenant. Per-tenant roles. No API path accepts a tenant ID as user input. All child records cascade-delete with the tenant.
4
Exit & Deletion
What happens when we leave?
Cancel in-app or remove the Enterprise Application from Entra. 30-day self-service restore window, then automatic permanent deletion. No residual data retained.
5
AI Safety
Is AI doing anything unsafe?
All AI uses deterministic templates — no external LLM calls. Every sentence traces to a computed field. AI explains risk; it never decides or acts.

AI Safety Guarantee

No external LLM calls
No training on customer data
No autonomous decision-making
Every output traceable to scan data
AI explains risk — it does not enforce policy

Offboarding Timeline

What happens when you leave. No ambiguity, with exact outcomes at every stage.

Day 0
Access revoked
Remove the IdentityOps enterprise app from Entra, or cancel in Settings > Billing.
All Microsoft Graph API access stops immediately
No new scans can run
Existing data remains accessible for self-service restore
Day 0–30
Retention window
Self-service restore available. No new data collected.
Re-subscribe to restore full access to historical data
No scans, alerts, or data collection during this period
Contact support@identityops.dev for immediate deletion
Day 30
Permanent deletion
Automatic, irreversible purge of all tenant data.
Scan history, app metadata, user records — deleted
Alert configs, activity logs, team members — deleted
Encrypted tokens and refresh credentials — deleted
No backups retained beyond this point

Security Review Questions

Structured to match vendor security questionnaires. Expand any question for full detail.

Evidence & Documentation

Request documentation for your vendor risk review, or access published policies directly.

Vendor Security Overview
PDF · Request via email
Standard Security Questionnaire
DOCX · Request via email
Architecture Diagram
PDF · Request via email
Permissions Breakdown
Graph scopes
Data Retention & Deletion Policy
PDF · Request via email
Privacy Policy
Web
Terms of Service
Web

Questions? We respond fast.

Security reviews, architecture walkthroughs, or custom documentation — reach out directly.

security@identityops.dev