How We Handle Your Data

We analyze without storing. Client data stays in client systems. We deliver architecture guidance, compliance mappings, and Infrastructure-as-Code without retaining sensitive business data.

Audit access is read-only, time-boxed, and logged. Every request follows least privilege and expires automatically. We provide access records at engagement close.

Where possible, analysis runs in your environment. Scans, benchmark scripts, and assessment checks execute inside your Azure tenant. Raw infrastructure telemetry stays within your subscription boundary.

We collect only metadata needed for recommendations: resource counts, SKU configurations, topology summaries, and control status. We do not retain usernames, passwords, application data, database contents, or personal data. Engagement metadata is purged after 90 days unless otherwise required.

Our internal operations align to SOC 2, NIST 800-53, and CMMC Level 2 principles. We maintain documented policies for access control, incident response, data classification, and vendor management.