Trust by design. Read-only by default. Provable by audit.
SOC 2 in progress. GDPR aligned. HIPAA BAA available. Free 14-day trial.
Our security posture
Read-only data collection
We never write to your tenant, modify settings, or change configurations. Assessment access is strictly read-only.
Data stays in your region
Assessment findings are stored and processed in Azure regions aligned to your organizational data residency requirements.
SOC 2 Type II in progress
We are currently undergoing our SOC 2 Type II audit period. Report available on completion. We'll tell you when it's done, not before.
GDPR-aligned data handling
Data processing agreements available on request. Data subject access request workflows are supported. DPA on request.
Compliance & certifications
We're honest about where we are. Procurement teams respect accuracy over inflated claims.
Status key: Active/Aligned = current. In progress = audit underway. Roadmap = planned, not started.
Data handling
Where data is stored
Assessment findings are stored in Azure PostgreSQL databases in Azure regions you select at onboarding. We use private endpoints — database instances are not publicly reachable. Storage at rest is encrypted using Azure-managed keys (AES-256).
Retention
Configurable. Default retention is 90 days of assessment history. Enterprise plans support custom retention periods. Data deletion on account termination is executed within 30 days of the request.
Who can access your data
Access is governed by row-level security — your tenant's data is logically isolated from all other tenants at the database layer. Bonelli Systems staff with platform admin access are subject to access logging and MFA enforcement. No data is shared with third parties for advertising or analytics purposes.
Encryption
All data in transit is encrypted via TLS 1.2 or higher. All data at rest is encrypted using AES-256. API endpoints enforce HTTPS-only. Internal service communication within Azure VNet uses private endpoints only.
Subprocessors
We use a limited set of infrastructure subprocessors. This list will be kept current as our subprocessor list changes.
| Subprocessor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud platform — compute, storage, databases, networking | USA (primary); region-configurable |
Vulnerability disclosure
We practice coordinated disclosure. If you discover a security vulnerability in our platform, please report it to us before publishing — we commit to a prompt response and to crediting researchers who disclose responsibly.
Platform status
Real-time uptime and incident reporting
Ready to see your actual posture?
Start the free 14-day trial and discover security gaps in your M365 and Azure environment.