Trust & Security

Trust by design. Read-only by default. Provable by audit.

SOC 2 in progress. GDPR aligned. HIPAA BAA available. Free 14-day trial.

Answer first

Short answer

Trust by design. Read-only by default. Provable by audit. SOC 2 in progress. GDPR aligned. HIPAA BAA available. Free 14-day trial.

The trust page explains permissions, evidence boundaries, privacy posture, and what happens before a Microsoft 365 tenant is connected.

  • Who it helpsSecurity reviewers, tenant administrators, procurement teams, and executives
  • What you getClear connection, privacy, and evidence-handling context
  • Next stepReview onboarding

Our security posture

Read-only data collection

We never write to your tenant, modify settings, or change configurations. Assessment access is strictly read-only.

Data stays in your region

Assessment findings are stored and processed in Azure regions aligned to your organizational data residency requirements.

SOC 2 Type II in progress

We are currently undergoing our SOC 2 Type II audit period. Report available on completion. We'll tell you when it's done, not before.

GDPR-aligned data handling

Data processing agreements available on request. Data subject access request workflows are supported. DPA on request.

Compliance & certifications

We're honest about where we are. Procurement teams respect accuracy over inflated claims.

SOC 2 Type II In progress
GDPR Aligned
HIPAA BAA available
CCPA Aligned
ISO 27001 Roadmap

Status key: Active/Aligned = current. In progress = audit underway. Roadmap = planned, not started.

Data handling

Where data is stored

Assessment findings are stored in Azure PostgreSQL databases in Azure regions you select at onboarding. We use private endpoints — database instances are not publicly reachable. Storage at rest is encrypted using Azure-managed keys (AES-256).

Retention

Configurable. Default retention is 90 days of assessment history. Enterprise plans support custom retention periods. Data deletion on account termination is executed within 30 days of the request.

Who can access your data

Access is governed by row-level security — your tenant's data is logically isolated from all other tenants at the database layer. Bonelli Systems staff with platform admin access are subject to access logging and MFA enforcement. No data is shared with third parties for advertising or analytics purposes.

Encryption

All data in transit is encrypted via TLS 1.2 or higher. All data at rest is encrypted using AES-256. API endpoints enforce HTTPS-only. Internal service communication within Azure VNet uses private endpoints only.

Architectural choice

Your evidence stays in the platform. On purpose.

A common feature request from MSPs and security teams is bidirectional integration — "push our findings to ConnectWise / Sentinel / ServiceNow." We intentionally don't. Here's why, and what you get instead.

One-way trust boundary

We read from your Microsoft 365 and Azure environment. Your security evidence does not traverse third-party PSA, RMM, or ticketing APIs on the way back out. Fewer data processors, smaller blast radius if any of them is breached.

Tenant findings stay tenant-scoped

Your team accesses findings through SSO into the platform. Exports are intentional and human-driven — PDF, CSV, or live walkthrough — never a continuous outbound stream of sensitive tenant configuration to a shared MSP system.

Per-tenant access control

MSPs and multi-entity orgs assign per-tenant roles. A junior analyst can ticket-handle one client without seeing every other client's findings. Standard SSO, scoped roles, audited access — no PSA-side permission sprawl to manage.

Need exact permission scope for procurement?

We publish the architectural posture; the consent-flow specifics are patent-pending and shared under NDA. Engineers reviewing the platform for a regulated tenant can request the full OAuth scope inventory, the setup-permission audit-log walkthrough, and the steady-state read-only application manifest.

Request scope under NDA

Subprocessors

We use a limited set of infrastructure subprocessors. This list will be kept current as our subprocessor list changes.

Subprocessor Purpose Location
Microsoft Azure Cloud platform — compute, storage, databases, networking USA (primary); region-configurable

Vulnerability disclosure

We practice coordinated disclosure. If you discover a security vulnerability in our platform, please report it to us before publishing — we commit to a prompt response and to crediting researchers who disclose responsibly.

Security inquiry form

Legal documents

Enterprise procurement often requires executed legal agreements before onboarding. We have standard documents ready for enterprise review.

Data Processing Agreement (DPA) Request
Business Associate Agreement (BAA) Request
Master Service Agreement (MSA) Request
Request through form

Platform status

Real-time uptime and incident reporting

Public status page (coming Q3 2026)

Ready to see your actual posture?

Start the free 14-day trial and discover security gaps in your M365 and Azure environment.

Start Free 14-Day Trial