How we handle your data.
Veri-Tech sells compliance, so we hold ourselves to the same standard we ship. Read-only by default, US-based infrastructure, scoped write authorization, and transparent sub-processor disclosure. This page is the source of truth.
Last reviewed: 2026-04-27
Read-only by default. Scoped writes by exception.
When you connect Microsoft 365 to Veri-Tech, we receive permission to read your tenant configuration. We cannot modify, delete, or wipe anything — not policies, not devices, not users, not data — unless you take a separate, explicit action to authorize it.
When you choose to apply a remediation, you grant Veri-Tech write permission for that specific action. The authorization is scoped (only the controls you select), time-bound (auto-expires after one hour), auto-revoked on completion (write permission is dropped the moment the remediation finishes — even if it finishes early), and recorded (audit log captures every change). You can also manually revoke at any time from your tenant’s admin consent panel.
Authentication is certificate-based. Every action Veri-Tech takes against your tenant is signed, logged, and attributable.
Third parties we share customer data with.
Veri-Tech uses the following sub-processors to operate the service. We notify customers in advance of material changes to this list. All sub-processors are bound by data-protection agreements consistent with our customer terms.
| Sub-processor | Purpose | Data handled | Region |
|---|---|---|---|
| Microsoft Azure | Compute, storage, scanning workloads | Scan results, tenant configuration data, audit logs | United States |
| Vercel | Portal hosting and authenticated app delivery | Signed auth tokens and rendered page content in transit; UI assets (no persistent customer-data storage) | US (compute) / global edge (static assets only) |
| Stripe | Subscription billing and payment processing | Billing contact, payment metadata (card data tokenized by Stripe) | United States |
| Postmark | Transactional email (account, support, billing) | Recipient email, message body | United States |
| Microsoft Bookings | Sales-call scheduling | Prospect contact info submitted to book a call | United States |
| GitHub | Support ticket intake and engineering tracking | Ticket content, submitter identifier | United States |
| Anthropic | AI-assisted runbook and SOP generation (when invoked) | Transient prompts; not retained beyond the request | United States |
Your data, your choice.
- Retention. Scan results, audit logs, and configuration data are retained for the duration of an active account. Following cancellation or deletion, data is purged within 30 days.
- Export on request. Customers may request a full export of their data at any time by emailing support@veri-tech.net. Self-serve export from the portal is on the near-term roadmap.
- Deletion. Customers may request deletion of all account data on demand; we comply within 30 days and confirm in writing.
Encrypted in transit and at rest.
- In transit. All connections use TLS 1.2 or later. Microsoft Graph API calls use modern certificate-based authentication.
- At rest. Customer data is encrypted at rest using Azure-managed keys (AES-256). Stripe-tokenized payment data never touches Veri-Tech storage.
- Data residency. Customer data is stored in United States Azure regions. The public marketing portal may serve static assets from Vercel’s global edge for performance; no customer data is replicated to edge nodes.
What we map to today.
Veri-Tech ships compliance scoring and remediation across a documented set of frameworks. Coverage is not a substitute for the customer’s own audit, but it provides auditor-ready evidence and continuous monitoring.
- NIST 800-53, NIST CSF 2.0, ISO 27001:2022, SOC 2 Trust Services Criteria
- CIS Microsoft 365 Foundations, CISA SCuBA M365 baselines
- HIPAA Security Rule mapping (with BAA available under HIPAA Pack)
- HHS 405(d) HICP, GDPR controls, additional frameworks on the roadmap
Independent attestation (SOC 2 Type 1) and third-party penetration testing are planned milestones. We’ll publish dates and reports on this page when each is complete — we do not pre-claim certifications we have not yet earned.
If you find a problem, tell us.
For suspected security incidents affecting your tenant, vulnerability reports, or any responsible-disclosure submission, contact us at security@veri-tech.net. We acknowledge legitimate reports within one business day. Researchers acting in good faith are welcome — we’ll work with you on coordinated disclosure and recognition.
Questions about how we handle your data?
Book a 15-minute call — we’re happy to walk through any of this in detail before you connect a tenant.