Privacy Policy | 365 Security Assessment

Effective Date: May 21, 2026 Last Updated: May 21, 2026

365SecurityAssessment.com (the "Service") is operated by MdB Consulting Services, Inc., a Texas corporation, doing business as Bonelli Systems ("Bonelli Systems," "we," "us," or "our"). This Privacy Policy explains what information we collect when you use the Service, how we use and protect that information, the legal bases on which we rely, and the rights you have over your information.

This Policy applies to all visitors, trial users, subscribers, and partners worldwide, including individuals located in the United States, Canada, the European Economic Area ("EEA"), the United Kingdom, and elsewhere. If you do not agree with this Policy, do not access or use the Service.

1. Who We Are and How to Reach Us

Controller / Business of record: MdB Consulting Services, Inc. (d/b/a Bonelli Systems) 365SecurityAssessment.com 18383 Preston Road, Suite 202 Dallas, Texas 75252 United States

All privacy, data protection, and legal notices: the legal/contact form

For residents of the EEA and the United Kingdom, Bonelli Systems acts as a data controller with respect to its own commercial relationship with you (account, billing, marketing), and as a data processor with respect to information processed on your behalf from your Microsoft 365 and Microsoft Azure environments.

EEA representative. Where required by Article 27 of the EU General Data Protection Regulation, our EU representative can be reached at the address in Section 17 below. We will update this Policy with the name and contact details of an appointed EU representative once one is engaged.

UK representative. Where required by Article 27 of the UK General Data Protection Regulation, our UK representative can be reached at the address in Section 17 below. We will update this Policy with the name and contact details of an appointed UK representative once one is engaged.

2. Scope of This Policy

This Policy covers:

The 365SecurityAssessment.com website, including any subdomains, marketing pages, and customer-facing portals.
The 365SecurityAssessment.com software-as-a-service application, including free trials, paid subscriptions, one-time assessments, and partner/reseller access.
All assessments, scans, reports, dashboards, and related outputs delivered through the Service.

This Policy does not cover third-party websites, products, or services that we do not own or control, even if they are linked from the Service. We encourage you to review the privacy policies of any third party before sharing information with them.

3. Information We Collect

We distinguish between two categories of information in connection with the Service:

Service Data is information we collect about you, your account, your authorized users, your billing, and your interactions with our website and the Service itself. We act as a data controller of Service Data.
Customer Data is information we collect from a Microsoft 365 or Microsoft Azure tenant that you authorize us to connect to, together with the findings and reports we generate for you. We act as a data processor of Customer Data, processing it on your documented instructions under our Data Processing Addendum.

3.1 Information You Provide to Us

When you create an account, request a trial, purchase a subscription, register as a partner, contact support, or otherwise interact with us, we collect information you provide, which may include:

Identity and account data, such as your name, business email address, company name, job title, and authentication credentials.
Billing and transaction data, such as billing address, purchase amount, and payment confirmations. Full payment card numbers are processed by our payment processors and are not stored on our systems.
Support and correspondence data, including any information you choose to include in support tickets, sales inquiries, or other communications.
Marketing preferences, including subscriptions to newsletters or product communications.

3.2 Information Collected From Your Microsoft 365 and Microsoft Azure Tenants

The core function of the Service is to assess the security posture of your Microsoft 365 and Microsoft Azure environments. To perform an assessment, you authorize the Service to connect to your tenant through Microsoft's OAuth-based authorization flow using Microsoft Graph API and Azure delegated or application permissions. All connections are read-only.

When connected, the Service collects a broad set of configuration and telemetry signals and evaluates them against a deep security ruleset covering misconfigurations, common vulnerabilities and exposures ("CVEs"), identity and access posture, data protection settings, threat indicators, and related controls.

The data we collect from your tenant includes configuration settings, policy definitions, role assignments, license metadata, audit and sign-in signals, secure score and recommendation data, and other security telemetry exposed by Microsoft Graph and Azure management APIs. We do not request, and the Service is not designed to ingest, the contents of mailboxes, files, chats, calendar items, or other end-user content.

You are responsible for the lawful basis for processing the personal data contained in your tenant and for ensuring that you have authority to authorize the Service to connect.

3.3 Information Collected Automatically

When you use the Service, we automatically collect technical information such as IP address, browser type and version, device and operating system, language preference, referring URLs, pages viewed, in-product clicks, session timestamps, error logs, and similar diagnostic information. Where reasonably practicable, we hash, truncate, or otherwise scrub identifiers in product-usage analytics to reduce the risk of identifying any individual or organization. We use cookies and similar technologies as described in Section 11.

3.3.1 Threat-Intelligence Information

In the course of providing the Service, we may collect or generate information about confirmed and potential cyber threats observed in connection with your tenant, including misconfigurations, exposed or compromised credentials surfaced through public breach corpora, indicators of compromise, attacker techniques and patterns, malicious or targeted IP addresses, suspicious or potentially harmful artifacts, and similar threat-intelligence information (collectively, "Threat-Intelligence Information"). We use Threat-Intelligence Information to provide and improve the Service, to detect and respond to threats affecting you and our other customers, to operate our internal security program, and to produce de-identified or aggregated research and benchmarks. We treat Threat-Intelligence Information with appropriate safeguards consistent with the sensitivity of the data. Where Threat-Intelligence Information contains personal data, we process it under the legal basis described in Section 6.

3.4 Information From Third Parties

We may receive information about you from third parties, such as our resellers and managed-service-provider partners (when they refer or manage your account), Microsoft (in connection with partner programs and licensing verification), payment processors, fraud-prevention providers, and publicly available sources.

4. How We Use Information

We use the information described above for the following purposes:

To deliver the Service, including running assessments, generating findings, producing dashboards and reports, and providing the proprietary analytical capabilities described in Section 5.
To create, authenticate, and manage your account and your partner or reseller relationships.
To process payments, manage subscriptions, and prevent fraud.
To provide customer support and respond to your requests.
To monitor, troubleshoot, secure, and improve the Service, including detecting and preventing abuse, unauthorized access, and security incidents.
To send service, security, and transactional communications.
To send marketing communications where permitted by law, and to measure engagement with our marketing. You may opt out at any time.
To comply with applicable laws, respond to lawful requests, and enforce our agreements.

We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws (including the California Consumer Privacy Act, as amended by the California Privacy Rights Act).

4.1 De-Identified and Aggregated Data

We may create de-identified, anonymized, and aggregated data from Service Data and Customer Data (for example, prevalence statistics for specific misconfigurations across our customer base, aggregated benchmark metrics, and threat-intelligence indicators). We may use that de-identified, anonymized, or aggregated data for any lawful purpose, including to operate, improve, and secure the Service, to produce industry benchmarks, and to publish threat-intelligence research, provided that we maintain reasonable policies and technical measures to avoid re-identification.

5. Use of Proprietary AI and Analytical Technology

The Service includes proprietary analytical technology, which may include a proprietary large-language-model capability developed by Bonelli Systems and made available within designated tiers of the Service. This proprietary technology, and the methods by which it generates findings, are the subject of pending patent and Patent Cooperation Treaty (PCT) applications and are protected as confidential trade secrets and intellectual property of Bonelli Systems.

When the Service uses this proprietary technology in connection with your account, the following applies:

The proprietary technology operates on data collected from your tenant during the assessment process described in Section 3.2 in order to produce additional findings, prioritized recommendations, and analytical outputs that are surfaced to you in your dashboard.
We do not use your tenant data, your account data, or the contents of your assessments to train or fine-tune the proprietary model or any other foundation, base, or generative model.
We do not share your tenant data, your account data, or the contents of your assessments with any third-party model provider for the purpose of training, fine-tuning, or improving any third-party model.
Where the Service uses any third-party AI components, we configure those components, by contract and by API setting, to disable training on customer data.

Outputs generated by the proprietary technology are produced for informational and security-decision-support purposes. You remain solely responsible for evaluating those outputs and for any actions you take, or do not take, in response.

6. Legal Bases for Processing (EEA and UK)

If you are located in the EEA or the United Kingdom, we rely on the following legal bases under the EU and UK General Data Protection Regulation (collectively, "GDPR") to process personal data:

Performance of a contract — to provide the Service you have requested or subscribed to.
Legitimate interests — to operate, secure, and improve the Service, prevent fraud, conduct B2B marketing, and pursue our business objectives, where those interests are not overridden by your rights.
Compliance with legal obligations — to meet tax, accounting, regulatory, and law-enforcement obligations.
Consent — where required by law (for example, for certain cookies or marketing communications), in which case you may withdraw consent at any time without affecting prior processing.

When we process personal data on your behalf as a data processor (for example, personal data contained in your Microsoft 365 or Azure tenant), we do so on your documented instructions under our Data Processing Addendum (see Section 13).

We share information only in the limited circumstances described below:

With service providers and subprocessors. We use vetted third parties to host the Service (including Microsoft Azure as our primary cloud infrastructure provider), to process payments, to deliver email and support tooling, to provide error monitoring and analytics, and to provide fraud-prevention and security services. These providers are bound by contractual obligations consistent with this Policy and applicable law. A current list of subprocessors is available on request by contacting the legal/contact form.
With partners and resellers. If you were referred to, or are managed by, a Bonelli Systems partner or managed-service-provider reseller, we may share account, usage, and assessment information with that partner as necessary to administer your relationship.
With your authorized users. Information related to your account and assessments is accessible to users you authorize within your organization, including administrators who can view, export, or delete data.
For business transfers. If Bonelli Systems is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its business, information may be transferred as part of that transaction, subject to standard confidentiality protections.
For legal and safety reasons. We may disclose information when we believe in good faith that disclosure is necessary to comply with law, respond to lawful requests, protect the rights, property, or safety of Bonelli Systems, our customers, or others, or to investigate fraud or security incidents.

We do not sell personal information.

8. International Data Transfers

Bonelli Systems is based in the United States, and we host the Service primarily on Microsoft Azure. Where required, we transfer personal data internationally using lawful transfer mechanisms, including the European Commission's Standard Contractual Clauses and the UK Addendum, supplemented by appropriate technical and organizational measures. You may request information about the transfer mechanisms applicable to your data by contacting the legal/contact form.

9. Data Retention

We retain information only as long as necessary for the purposes described in this Policy, including to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements.

Active accounts. We retain account information and assessment data for as long as your account is active.
Free trials. Assessment results and related data generated during a 14-day free trial are retained for 365 days from the end of the trial, after which they are deleted from production systems.
Paid subscriptions. Following cancellation or termination of a paid subscription, we retain account information and assessment data for 365 days, after which they are deleted from production systems. During this period you may request earlier deletion in writing.
Backups and logs. Residual copies in encrypted backups and security logs are overwritten in the ordinary course of business according to our backup retention schedules.
Aggregated and anonymized data. We may retain aggregated and anonymized statistics that do not identify you or your tenant indefinitely for benchmarking, research, and product improvement purposes.
Legal holds. We may retain information longer where required by law or where it is subject to a legal hold.

10. Security

We implement administrative, technical, and physical safeguards designed to protect information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit and at rest, role-based access controls, least-privilege provisioning, multi-factor authentication for our personnel, network segmentation, vulnerability management, security logging and monitoring, secure software-development practices, and routine internal control reviews aligned to industry frameworks. Bonelli Systems is a designated Microsoft Solutions Partner for Security, Data & AI, Azure Infrastructure, and Digital & App Innovation.

No method of transmission or storage is completely secure. You are responsible for safeguarding your account credentials, managing user access within your organization, and maintaining the security of the Microsoft 365 and Azure tenants you connect to the Service.

If we become aware of a security incident affecting personal data we process on your behalf, we will notify you without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware, consistent with applicable law and our Data Processing Addendum. Our notice will include the information reasonably available to us at the time, will be supplemented as additional information becomes available, and will not be deemed an acknowledgement of fault or liability.

11. Cookies and Similar Technologies

We use cookies and similar technologies to operate, secure, and improve the Service, to remember preferences, to authenticate sessions, and to measure engagement. We categorize cookies as strictly necessary, functional, analytics, and marketing. Where required by law, we obtain consent before placing non-essential cookies, and you may manage your preferences at any time through the in-product cookie controls.

12. Your Rights and Choices

Depending on where you live, you may have some or all of the following rights with respect to personal information that we control:

Access and portability — to obtain a copy of personal information we hold about you.
Correction — to ask us to correct inaccurate or incomplete information.
Deletion — to ask us to delete personal information, subject to applicable exceptions.
Restriction and objection — to ask us to restrict, or to object to, certain processing, including processing based on legitimate interests and direct marketing.
Withdrawal of consent — to withdraw consent where processing is based on consent.
Non-discrimination — to exercise your rights without being denied service, charged different prices, or receiving a different quality of service.
Opt-out of sale or sharing — although we do not sell or share personal information as defined under U.S. state privacy laws, you have the right to confirm this.
Automated decision-making — we do not make decisions about you that produce legal or similarly significant effects based solely on automated processing without human involvement.
Complaints — you may lodge a complaint with a supervisory authority. In the EEA, that is the data protection authority in your country of residence; in the UK, the Information Commissioner's Office; in Canada, the Office of the Privacy Commissioner of Canada or applicable provincial regulator (including for Quebec residents, the Commission d'accès à l'information du Québec).

If you are an end user whose personal data appears in a tenant connected by your employer or another organization, please direct your rights requests to that organization first, as it acts as the controller of that data.

To exercise any of these rights, contact the legal/contact form. We will acknowledge receipt of your request within ten (10) business days and will respond substantively within thirty (30) days where required by law, or within forty-five (45) days where permitted under U.S. state privacy laws, in each case extendable by an additional period where reasonably necessary and where applicable law permits. We may need to verify your identity before fulfilling certain requests. You may also authorize an agent to make a request on your behalf where permitted by law.

12.1 United States — State-Specific Notices

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia, or another U.S. state that grants you privacy rights, you may exercise those rights as described above. California residents may also request information about categories of personal information collected and disclosed in the preceding twelve months and may designate an authorized agent under the CCPA/CPRA.

Categories of personal information collected (CCPA). In the preceding twelve months we may have collected the following categories of personal information for the purposes described in Section 4: identifiers (such as name, email, IP address, and online identifiers); commercial information (such as subscription, billing, and transaction records); internet or other network activity information (such as browsing, search, and product-usage history); geolocation information (approximate, derived from IP address); professional or employment-related information (such as job title and company); and inferences drawn from the foregoing. We may collect technical identifiers and security-relevant signals (such as authentication identifiers, role assignments, and audit-log signals) from authorized Microsoft 365 and Microsoft Azure tenants, which can constitute personal information of your authorized users.

Sensitive personal information. We do not knowingly collect government-issued identifiers, financial-account credentials, precise geolocation, health, biometric, immigration-status, sex-life, sexual-orientation, racial or ethnic origin, religious or philosophical beliefs, or union-membership information about you. Account log-in credentials are treated as sensitive personal information; we use them only to authenticate users and administer the Service, and not for purposes that would require an additional opt-in or "limit-use" notice under California Civil Code § 1798.121.

Sale and sharing. We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising, as those terms are defined under the CCPA.

California Shine the Light. California Civil Code § 1798.83 permits California residents to request information about disclosures of personal information to third parties for those third parties' direct-marketing purposes. We do not make such disclosures.

12.2 Canada — PIPEDA and Quebec Law 25

If you are located in Canada, you have rights under the Personal Information Protection and Electronic Documents Act ("PIPEDA") and, if you are located in Quebec, under An Act respecting the protection of personal information in the private sector (Quebec Law 25), including access, correction, withdrawal of consent, and the ability to file a complaint with the applicable regulator.

13. Data Processing Addendum

For customers acting as controllers under GDPR, UK-GDPR, or other applicable data protection laws, Bonelli Systems makes available a Data Processing Addendum ("DPA") that incorporates the European Commission's Standard Contractual Clauses, the UK Addendum, and equivalent terms as required. The DPA, together with our list of subprocessors and applicable transfer mechanisms, is available on request by contacting the legal/contact form.

14. Children's Privacy

The Service is intended for businesses and is not directed to children. We do not knowingly collect personal information from children under sixteen (16). If you believe that a child has provided personal information to us, contact the legal/contact form and we will take appropriate steps to delete that information.

15. Do Not Track and Global Privacy Control

Some browsers offer a "Do Not Track" signal. Because there is no industry consensus on how to interpret such signals, the Service does not currently respond to them. Where required by law (including the California Consumer Privacy Act, as amended), the Service treats a Global Privacy Control signal transmitted by your browser as a valid request to opt out of the sale or sharing of personal information for the browser, device, or session that transmits it. You can also manage tracking through the in-product cookie controls and through your browser settings.

16. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will provide notice through the Service, by email, or by other appropriate means and will update the "Last Updated" date above. Continued use of the Service after the effective date of an updated Policy constitutes your acceptance of the updated Policy.

17. Contact

Questions, complaints, or requests related to this Policy or your information may be directed to:

MdB Consulting Services, Inc. (d/b/a Bonelli Systems) 365SecurityAssessment.com Attn: Legal — Privacy 18383 Preston Road, Suite 202 Dallas, Texas 75252 United States the legal/contact form

Short answer