Security & Data
How TrueConfig protects your data, handles Microsoft 365 credentials, and maintains security best practices.
Why This Matters
As a security tool with access to your Microsoft 365 tenant, TrueConfig must meet the highest security standards. This page provides the information you need for vendor security reviews, compliance assessments, and internal security approvals.
What Data TrueConfig Stores
TrueConfig collects only the data necessary to evaluate your security posture and detect configuration drift. We follow a principle of minimal data collection.
Configuration Data
We store snapshots of your Microsoft 365 security configuration:
- • Conditional Access policy configurations (not user assignments)
- • Directory role assignments and PIM settings
- • Authentication method policies
- • Application registrations and service principal metadata
- • Guest access settings
User Metadata
Limited user information for evaluation purposes:
- • User principal names (UPNs) for privileged accounts
- • MFA registration status (registered/not registered)
- • Account type (member, guest, service account)
- • Last sign-in timestamps for stale account detection
Audit & Activity Data
For drift detection and change attribution:
- • Entra ID audit log entries related to security settings
- • Actor information for configuration changes
- • Timestamps for all detected changes
Data Encryption
Encryption at Rest
- ✓AES-256 encryption for all stored data
- ✓Database-level encryption via Supabase
- ✓Encrypted backups with separate key management
Encryption in Transit
- ✓TLS 1.3 for all API communications
- ✓HTTPS enforced for all endpoints
- ✓Certificate pinning for Microsoft Graph API calls
Token Storage & Credential Management
OAuth Token Handling
When you connect your Microsoft 365 tenant, TrueConfig stores OAuth tokens to access Microsoft Graph API:
- ✓Encrypted storage: Tokens are encrypted at rest using AES-256
- ✓Organization-scoped: Tokens are isolated per organization with Row Level Security (RLS)
- ✓Automatic refresh: Access tokens are short-lived (1 hour) and automatically refreshed
- ✓Revocable: You can revoke access anytime from Entra admin center or by disconnecting the tenant in TrueConfig
Connecting Your Microsoft 365 Tenant
TrueConfig uses OAuth 2.0 with admin consent to securely connect to your Microsoft 365 tenant. Here's how the connection process works:
Connection Flow
- 1Initiate Connection
Click "Connect Tenant" in TrueConfig. You'll be redirected to Microsoft's login page.
- 2Admin Consent
A Global Administrator or Privileged Role Administrator must approve the permissions. Review the requested permissions carefully.
- 3Token Exchange
Microsoft issues OAuth tokens (access + refresh). These are encrypted and stored securely in our EU database.
- 4Initial Scan
TrueConfig performs an initial scan of your tenant configuration using Microsoft Graph API.
Who Can Connect
The following Entra ID roles can grant admin consent for TrueConfig:
- • Global Administrator
- • Privileged Role Administrator
- • Cloud Application Administrator (for app consent only)
Revoking Access
You can revoke TrueConfig's access at any time:
- • From TrueConfig: Settings → Disconnect Tenant
- • From Entra: Enterprise Applications → TrueConfig → Properties → Delete
- • From Entra: Enterprise Applications → TrueConfig → Permissions → Revoke admin consent
Microsoft Graph Permissions Reference
TrueConfig uses delegated permissions with admin consent. All permissions are read-only unless you enable auto-remediation.
| Permission | Purpose |
|---|---|
User.Read.All | Read user accounts, MFA status, sign-in activity |
Policy.Read.All | Read Conditional Access policies, auth methods |
Application.Read.All | Read app registrations and service principals |
RoleManagement.Read.Directory | Read directory role assignments and PIM settings |
Group.Read.All | Read groups and memberships for role analysis |
AuditLog.Read.All | Read audit logs for drift detection |
UserAuthenticationMethod.Read.All | Read MFA registration details |
IdentityRiskyUser.Read.All | Read risky user detections (requires P2) |
Reports.Read.All | Read sign-in and usage reports |
Auto-Remediation Permissions (Optional)
These write permissions are only requested when you enable auto-remediation. Each requires separate admin consent:
| Permission | Enables |
|---|---|
Policy.ReadWrite.ConditionalAccess | Create/update Conditional Access policies |
RoleManagement.ReadWrite.Directory | Convert permanent roles to PIM eligible |
User.ReadWrite.All | Create emergency access accounts |
Policy.ReadWrite.AuthenticationMethod | Configure authentication methods |
Data Residency & Infrastructure
Infrastructure Location
TrueConfig infrastructure is hosted entirely within the European Union:
- •Database: Supabase PostgreSQL (AWS eu-central-1, Frankfurt, Germany)
- •Edge Functions: Supabase Edge (Deno Deploy, EU region)
- •Application: Vercel (EU region, fra1)
- •CDN: Vercel Edge Network (global, but origin in EU)
Technology Stack
- •Application: Next.js 15 (App Router) on Vercel
- •Database: PostgreSQL 17 via Supabase
- •Authentication: Supabase Auth (email/password, SSO)
- •Background Jobs: Supabase Edge Functions (Deno runtime)
- •Microsoft Integration: Microsoft Graph API via OAuth 2.0
Data Retention Policies
Retention periods vary by plan tier and data type:
| Data Type | Free | Pro | Scale |
|---|---|---|---|
| Scan history | 7 days | 90 days | 1 year |
| Drift events | 7 days | 90 days | 1 year |
| Audit logs | 30 days | 90 days | 2 years |
| Configuration snapshots | Latest only | 30 days | 1 year |
| Remediation history | N/A | 90 days | 2 years |
Account & Data Deletion
Deletion Process
When you delete your account or disconnect a tenant:
- ✓Immediate: OAuth tokens are revoked and deleted
- ✓Within 24 hours: Active data is soft-deleted
- ✓Within 30 days: Data is permanently purged from all systems including backups
To request immediate data deletion, contact privacy@trueconfig.io.
Compliance & Certifications
Current Status
- ✓GDPR compliant
- ✓CCPA compliant
- ✓Microsoft Partner Security Requirements
Roadmap
- ○SOC 2 Type II (in progress)
- ○ISO 27001 (planned)
GDPR & Privacy
Your Rights Under GDPR
Right to Access
Request a copy of all data we hold about you and your organization.
Right to Rectification
Request correction of inaccurate personal data.
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Portability
Export your data in a machine-readable format.
To exercise any of these rights, contact our Data Protection Officer at dpo@trueconfig.io.
Security Practices
Infrastructure Security
- ✓All infrastructure runs in SOC 2 compliant cloud environments
- ✓Network segmentation and firewall rules restrict access
- ✓DDoS protection via Cloudflare and Vercel
- ✓Automated vulnerability scanning and patching
Application Security
- ✓Row Level Security (RLS) ensures strict tenant isolation
- ✓All API endpoints require authentication
- ✓Input validation and sanitization on all user inputs
- ✓Rate limiting to prevent abuse
- ✓Regular third-party security assessments
Operational Security
- ✓Employee access requires MFA and follows least privilege
- ✓All access to production systems is logged and audited
- ✓Security awareness training for all team members
- ✓Incident response plan with defined escalation procedures
Vendor Security Review
Need More Information?
For vendor security reviews, compliance questionnaires, or enterprise security requirements:
- • Security questionnaires: security@trueconfig.io
- • Enterprise agreements: enterprise@trueconfig.io
- • Penetration test reports: Available under NDA for Scale customers
- • SOC 2 report: Available upon request (when completed)