How we handle your data.
Veri-Tech sells compliance, so we hold ourselves to the same standard we ship. Read-only by default, US-based infrastructure, scoped write authorization, and transparent sub-processor disclosure. The canonical, version-controlled sub-processor list lives at /legal/subprocessors; the table below is a summary kept in sync with that page.
Last reviewed: 2026-04-27
Read-only by default. Scoped writes by exception.
When you connect Microsoft 365 to Veri-Tech, we receive permission to read your tenant configuration. We cannot modify, delete, or wipe anything — not policies, not devices, not users, not data — unless you take a separate, explicit action to authorize it.
When you choose to apply a remediation, you grant Veri-Tech write permission for that specific action. The authorization is scoped (only the controls you select), time-bound (auto-expires after one hour), auto-revoked on completion (write permission is dropped the moment the remediation finishes — even if it finishes early), and recorded (audit log captures every change). You can also manually revoke at any time from your tenant’s admin consent panel.
Authentication is certificate-based. Every action Veri-Tech takes against your tenant is signed, logged, and attributable.
Third parties we share customer data with.
Veri-Tech uses the following sub-processors to operate the service. The canonical list with HIPAA Business Associate status, change log, and Customer-configured integration boundaries lives at /legal/subprocessors. We notify customers at least 30 days in advance of material changes.
| Sub-processor | Purpose | Data handled | Region |
|---|---|---|---|
| Microsoft Azure | Compute, storage, networking, Application Insights telemetry | Tenant configuration metadata, scan results, audit logs, application telemetry | United States (East US 2) |
| Microsoft Graph API | Read tenant configuration and apply customer-authorized changes | Tenant configuration settings, policy definitions, role assignments | Microsoft global |
| Microsoft Bookings | Sales/onboarding/security call scheduling | Prospect-submitted contact details | Microsoft global |
| Vercel | Portal and marketing site hosting | Auth tokens, session cookies, page request metadata; no tenant data stored | US (iad1) / global edge for static assets |
| Stripe | Subscription billing and payment processing | Billing contact, payment tokens (card data held by Stripe), invoice history | United States |
| Resend | Transactional email (job notifications, drift alerts, invitations) | Recipient email, message metadata (job IDs, scan summaries, control names) | United States |
| Anthropic | AI features: support assistant, in-product Copilot, remediation plan generation (invoked on demand) | User-typed chat; control IDs/titles/severities/scores; license SKUs; no tenant identifiers | United States |
| GitHub | Support ticket intake (private Veri-Tech repo, support staff only) | Ticket subject and description, category, priority, tenant ID, submitter email | United States |
Your data, your choice.
- Retention. Scan results, audit logs, and configuration data are retained for the duration of an active account. Following cancellation or deletion, data is purged within 30 days.
- Export on request. Customers may request a full export of their data at any time by emailing support@veri-tech.net. Self-serve export from the portal is on the near-term roadmap.
- Deletion. Customers may request deletion of all account data on demand; we comply within 30 days and confirm in writing.
Encrypted in transit and at rest.
- In transit. All connections use TLS 1.2 or later. Microsoft Graph API calls use modern certificate-based authentication.
- At rest. Customer data is encrypted at rest using Azure-managed keys (AES-256). Stripe-tokenized payment data never touches Veri-Tech storage.
- Data residency. Customer data is stored in United States Azure regions. The public marketing portal may serve static assets from Vercel’s global edge for performance; no customer data is replicated to edge nodes.
What we map to today.
Veri-Tech ships compliance scoring and remediation across a documented set of frameworks. Coverage is not a substitute for the customer’s own audit, but it provides auditor-ready evidence and continuous monitoring.
- NIST 800-53, NIST CSF 2.0, ISO 27001:2022, SOC 2 Trust Services Criteria
- CIS Microsoft 365 Foundations, CISA SCuBA M365 baselines
- HIPAA Security Rule mapping (with BAA available under HIPAA Pack)
- HHS 405(d) HICP, GDPR controls, additional frameworks on the roadmap
Independent attestation (SOC 2 Type 1) and third-party penetration testing are planned milestones. We’ll publish dates and reports on this page when each is complete — we do not pre-claim certifications we have not yet earned.
If you find a problem, tell us.
For suspected security incidents affecting your tenant, vulnerability reports, or any responsible-disclosure submission, contact us at security@veri-tech.net. We acknowledge legitimate reports within one business day. Researchers acting in good faith are welcome — we’ll work with you on coordinated disclosure and recognition.
Questions about how we handle your data?
Book a 15-minute call — we’re happy to walk through any of this in detail before you connect a tenant.