Privacy Policy
Effective Date: December 3, 2024 · Last Updated: March 14, 2026
1. Introduction
This Privacy Policy describes how Veri-Tech ("Veri-Tech," "Company," "we," "us," or "our") collects, uses, stores, and protects information when you use the Veri-Docs platform ("Service"), accessible at veri-tech.net.
Veri-Tech is committed to protecting your privacy and handling your data with transparency. This Privacy Policy applies to all users of the Service, including administrators, authorized users, and visitors to our websites.
2. Information We Collect
2.1 Account Information
When you authenticate with the Service through Microsoft Entra ID, we receive:
- Display name and email address from your Microsoft account
- Microsoft Entra Object ID (a unique identifier for your account)
- Tenant ID (identifies your Microsoft 365 organization)
- User role within your organization (e.g., Global Administrator)
We do not receive, access, or store your Microsoft account password or multi-factor authentication credentials.
2.2 Tenant Configuration Data
When you use the Service, we access and temporarily process configuration data from your Microsoft 365 tenant, including but not limited to:
- Intune policies: device compliance, configuration profiles, security baselines, app protection policies, enrollment configurations, update policies, scripts
- Conditional Access policies: access controls, grant/session conditions, assignments
- Entra ID settings: authentication methods, authorization policies, cross-tenant access settings
- Exchange Online settings: transport rules, sharing policies, anti-spam/anti-phishing configurations
- Microsoft Teams settings: meeting policies, messaging policies, external access
- Microsoft Defender settings: preset security policies, Safe Attachments, Safe Links
- License and subscription information: SKUs assigned to your tenant
This data consists of organizational configuration settings, not individual user personal data. We do not access mailbox contents, files, chat messages, or individual user activity data.
2.3 Service Usage Data
We collect information about how you use the Service:
- Job records: timestamps, job type (SOP/assessment/remediation), status, output format
- Assessment results: compliance scores, control pass/fail status, remediation actions taken
- Feature usage: pages visited, features used, subscription plan
- Source IP addresses: recorded for security audit purposes
2.4 Billing Information
Payment information is collected and processed by Stripe, Inc. We do not directly collect or store credit card numbers, bank account details, or other payment instrument data. We receive from Stripe:
- Subscription status and plan tier
- Billing interval (monthly/annual)
- Customer ID (Stripe reference)
- Invoice history
3. How We Use Your Information
| Purpose | Legal Basis |
|---|---|
| Provide and operate the Service | Contract performance |
| Authenticate your identity and manage your account | Contract performance |
| Process payments and manage subscriptions | Contract performance |
| Generate compliance reports and gap analyses | Contract performance |
| Apply authorized remediation changes | Contract performance (with explicit consent) |
| Monitor Service performance, security, and reliability | Legitimate interest |
| Enforce rate limits and prevent abuse | Legitimate interest |
| Send service-related communications | Contract performance / Legitimate interest |
| Comply with legal obligations | Legal obligation |
We do not:
- Sell your data to third parties
- Use your tenant configuration data for advertising
- Share your data with other customers
- Train machine learning models on your tenant data
- Access your data for purposes unrelated to providing the Service
4. Data Storage and Security
4.1 Infrastructure
- Cloud Provider: Microsoft Azure
- Data Region: East US 2 (United States)
- Portal Hosting: Vercel (iad1 — US East)
- Authentication: X.509 certificate-based (HSM-backed), no client secrets in production
- API Security: Internal JWT authentication (HMAC-SHA256) on all endpoints, per-tenant rate limiting
- Encryption in Transit: TLS 1.2+ on all connections
- Encryption at Rest: Azure Storage Service Encryption (AES-256)
4.2 Security Measures
- Role-based access control (RBAC) with least-privilege scoping
- Just-in-time (JIT) write permission elevation with automatic revocation
- Break-glass account verification before remediation operations
- Structured audit logging via Azure Application Insights
- Phased deployment model with observation periods for remediation
- GUID validation and input sanitization on all API endpoints
4.3 Access Controls
Access to production infrastructure is limited to authorized Veri-Tech personnel. We maintain audit logs of all administrative access and data operations.
5. Data Retention
5.1 Active Subscriptions
While your subscription is active:
- Scan results and reports: Retained per your plan's retention policy (configurable)
- Generated SOPs: Stored in Azure Blob Storage until you delete them or your subscription ends
- Job records: Retained for the duration of your subscription
- Audit logs: Retained for twelve (12) months
5.2 After Cancellation
Upon subscription cancellation or account termination:
- Your data is retained for thirty (30) days to allow export
- After 30 days, Customer Data is permanently deleted from active storage
- Backup copies may persist for up to ninety (90) days before automatic deletion
- Billing records are retained as required by tax and accounting regulations
5.3 Deletion Requests
You may request immediate deletion of your data by contacting privacy@veri-tech.net. We will process deletion requests within thirty (30) days, subject to legal retention obligations.
6. Data Sharing and Sub-Processors
6.1 Sub-Processors
| Sub-Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Microsoft Azure | Cloud infrastructure, data storage, compute | Tenant configuration data, job records, generated documents | United States (East US 2) |
| Microsoft Graph API | Tenant data access and remediation | Tenant configuration read/write (per granted permissions) | Microsoft global infrastructure |
| Stripe, Inc. | Payment processing | Billing information, subscription status | United States |
| Vercel, Inc. | Portal hosting | Session tokens, page requests | United States (iad1) |
| Azure Application Insights | Monitoring and logging | Service telemetry, error logs, audit events | United States |
6.2 Legal Disclosure
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.
7. Your Rights
7.1 General Rights
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your personal data
- Export: Request your data in a portable, machine-readable format
- Objection: Object to certain processing of your data
- Restriction: Request that we limit processing of your data
7.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act, including:
- Right to know what personal information is collected, used, and shared
- Right to delete personal information
- Right to opt-out of the sale of personal information (we do not sell personal information)
- Right to non-discrimination for exercising your rights
7.3 European Economic Area (GDPR)
If you are located in the EEA, you have rights under the General Data Protection Regulation, including those listed in Section 7.1 and the right to lodge a complaint with your local data protection authority.
7.4 Exercising Your Rights
To exercise any of these rights, contact us at privacy@veri-tech.net. We will respond within thirty (30) days (or as required by applicable law).
8. Microsoft 365 Permissions
8.1 Application Permissions
The Veri-Tech application registration in Microsoft Entra ID requests specific Microsoft Graph API permissions. These permissions are documented in our application manifest and are visible during the admin consent process.
8.2 Read Permissions
Read permissions are used for SOP generation and compliance assessment. These allow the Service to read your tenant's configuration settings but not user data, mail, files, or communications.
8.3 Write Permissions (JIT)
Write permissions are requested on a just-in-time basis only when you initiate a remediation workflow. These permissions are:
- Requested via a separate admin consent prompt
- Used only for the specific remediation actions you authorize
- Automatically revoked after the remediation workflow completes
- Can be manually revoked at any time via the Microsoft Entra admin center
8.4 Revoking Access
You can revoke the Service's access to your tenant at any time by:
- Navigating to the Microsoft Entra admin center
- Going to Enterprise Applications
- Finding the Veri-Tech application
- Selecting Properties > Delete
Revoking access will prevent the Service from accessing your tenant data. Previously generated documents remain available for download.
9. Cookies and Tracking
9.1 Essential Cookies. The Service uses essential cookies for authentication session management. These cookies are required for the Service to function and cannot be disabled.
9.2 Analytics. We use Azure Application Insights for service monitoring and performance analytics. This collects anonymized usage telemetry (page load times, error rates, feature usage patterns) and does not track individual user behavior for advertising purposes.
9.3 No Third-Party Advertising. We do not use advertising cookies or tracking pixels. We do not share usage data with advertising networks.
10. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete that information promptly.
11. International Data Transfers
The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer. Where required by applicable law, we implement appropriate safeguards (such as Standard Contractual Clauses) for international data transfers.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Privacy Policy, sending an email notification, or displaying an in-app notification. Changes become effective thirty (30) days after posting unless otherwise stated.
Contact Information
Veri-Tech
Website: veri-tech.net
Product: veri-tech.net
Privacy Inquiries: privacy@veri-tech.net
General Support: support@veri-tech.net
Legal Inquiries: legal@veri-tech.net