Privacy Policy

Last updated: 17 December 2025

1. Introduction

Poverud IT ("we", "us", "our") operates TrueConfig, a cloud-based configuration and governance platform for Microsoft Entra ID.

We are committed to protecting personal data and handling it transparently, securely, and in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy explains:

•What data we process
•Why we process it
•How it is stored and protected
•How long it is retained
•What rights data subjects have

2. Data Controller

Legal entity:: Poverud IT
Country of incorporation:: Norway
Registered address:: Munkegaten 9a, Norway
Operating scope:: Global
Contact for privacy matters:: privacy@trueconfig.cloud

Poverud IT acts as:

•Data Controller for account and service usage data
•Data Processor for customer tenant data processed on behalf of customers

3. Who This Policy Applies To

This policy applies to:

•IT administrators, security administrators, and CISOs using TrueConfig
•Employees, contractors, and guest users whose identity data exists in customer Microsoft Entra ID tenants

TrueConfig is not intended for use by children or minors, and we do not knowingly process data relating to children.

4. Personal Data We Process

4.1 Account and Identity Data

We process limited personal data required to operate the service, including:

•Name
•Email address
•Tenant ID
•User ID

Authentication is performed using Microsoft Entra ID single sign-on or magic link login.

4.2 Microsoft Entra ID Tenant Data

TrueConfig accesses Microsoft Entra ID data only with explicit customer consent via Microsoft Graph.

Depending on enabled features and granted permissions, this may include:

•Users and user identifiers
•Groups
•Administrative roles and assignments
•Conditional Access policies
•Application registrations and service principals
•Sign-in and audit metadata

Important:

TrueConfig reads tenant configuration data and may write or modify configuration only when explicitly approved and initiated by the customer.

Tenant configuration data is:

•Stored per tenant
•Logically isolated
•Never shared across tenants
•Retained according to the customer's plan (30, 90, or 365 days)

4.3 Authentication Tokens

TrueConfig uses only Microsoft-issued OAuth tokens.

•Access tokens and refresh tokens are stored encrypted at rest using AES-256-CBC.
•Tokens are scoped per tenant.
•No tokens are shared across tenants.
•Tokens are rotated regularly and overwritten.
•Tokens are never written to logs, traces, or monitoring systems.
•Tokens are transmitted only over encrypted connections (TLS 1.2+).

Customers can revoke all access at any time by revoking consent in Microsoft Entra ID.

4.4 Logs and Telemetry

TrueConfig collects operational logs necessary to provide the service, including:

•Application logs
•Audit logs
•User activity logs

Logs may include:

•User ID
•Tenant ID
•Device or browser metadata

Logs do not include:

•Authentication tokens
•Passwords
•IP addresses

Logs are used solely for service operation, troubleshooting, and security, not for marketing or advertising.

Retention is plan-based: 30, 90, or 365 days. Customers may request log deletion.

4.5 Automation and Remediation Records

When remediation actions occur, TrueConfig records:

•Before and after configuration state
•Approval records
•Actor identity

Remediation logs are immutable and retained for 90 days. Customers can export their remediation history.

5. Analytics and Tracking

TrueConfig does not use third-party analytics platforms.

Limited behavioral tracking occurs via internal application logs and includes:

•Page views
•Feature usage

This tracking is identifiable and used solely to operate, secure, and improve the product. No marketing tracking, advertising pixels, or third-party analytics are used.

6. AI and Automated Decision-Making

TrueConfig does not currently use artificial intelligence or machine learning to process customer data.

•No customer data is used to train AI models.
•Any future AI usage will be advisory only and disclosed before use.
•Claude Code is used solely as a development tool. No customer data is shared with AI services.

7. Data Storage and Security

Data is hosted in the European Union:

Infrastructure provider:: Supabase
Region:: Frankfurt, Germany

Security measures include:

•Encryption at rest and in transit
•Logical tenant isolation
•Restricted and logged access to production systems
•Regular security reviews and penetration testing
•Regular backups with 180-day retention

8. Subprocessors

TrueConfig uses the following subprocessors:

•Supabase (hosting and database)
•Vercel (application hosting)
•Resend (transactional email)

Some subprocessors may operate outside the EU. Appropriate data processing agreements are in place.

TrueConfig does not sell or share personal data with third parties for marketing purposes.

9. Data Retention and Deletion

Tenant data is retained according to the customer's plan.

After contract termination, tenant data is deleted within 1 day, unless legal obligations require longer retention.

Customers may request data export or deletion at any time.

10. Data Subject Rights

Data subjects have the right to:

•Access their personal data
•Rectify inaccurate data
•Request erasure
•Restrict processing
•Receive a copy of their data

Requests are handled manually via customer support at privacy@trueconfig.cloud.

11. Incident Response and Breach Notification

TrueConfig maintains an incident response plan.

In the event of a personal data breach:

•Customers will be notified within 72 hours of becoming aware
•Notification will be sent via email to the account owner

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to customers.

13. Contact

For privacy or data protection questions, contact:

Email:: privacy@trueconfig.cloud
Company:: Poverud IT
Address:: Munkegaten 9a, Norway