O365Validatorby Trifident
Legal

Privacy Policy

Last updated: January 2025

1. Introduction

O365Validator ("we," "our," or "us") is operated by Trifident LLC. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Microsoft 365 security assessment service.

We are committed to protecting your privacy and handling your data with transparency. Please read this policy carefully to understand our practices.

2. Information We Collect

2.1 Information You Provide

  • Email address (through Microsoft authentication)
  • Name (through Microsoft authentication)
  • Organization/tenant information

2.2 Information from Microsoft Graph API

When you connect your Microsoft 365 tenant, we access security configuration data through Microsoft's Graph API with read-only permissions. This includes:

  • Conditional Access policy configurations
  • Authentication method settings
  • Role assignment information
  • Application permission grants
  • Security-related tenant settings

We do NOT collect: email content, file contents, chat messages, calendar data, passwords, or personal documents.

2.3 Assessment Results

We store the results of security assessments, including:

  • Pass/fail status for each security check
  • Severity ratings and scores
  • Remediation recommendations
  • Assessment timestamps

2.4 Technical Information

  • IP address
  • Browser type and version
  • Device information
  • Usage patterns and preferences

3. How We Use Your Information

We use the collected information to:

  • Perform security assessments of your Microsoft 365 tenant
  • Generate security reports and recommendations
  • Provide and maintain our service
  • Communicate with you about your account and assessments
  • Improve our service and develop new features
  • Ensure security and prevent fraud
  • Comply with legal obligations

4. Data Storage and Security

4.1 Encryption

All OAuth tokens are encrypted using AES-256-GCM encryption before storage. Each encryption operation uses a unique salt and initialization vector (IV). Encryption keys are derived using scrypt, a memory-hard key derivation function.

4.2 Data Transmission

All data transmitted between your browser, our servers, and Microsoft's APIs is encrypted using TLS 1.3.

4.3 Data Retention

Assessment results are retained for as long as your account is active. OAuth tokens are retained only as long as necessary to provide the service and are deleted upon account deletion or access revocation.

4.4 Infrastructure

Our application is hosted on Vercel's secure infrastructure. Database services are provided by Neon PostgreSQL with encryption at rest.

5. Data Sharing

We do not sell your personal information or tenant data. We may share information in the following circumstances:

  • Service Providers: With trusted third-party service providers who assist in operating our service (hosting, analytics, support)
  • MSP Relationships: If you're managed by an MSP using our platform, your assessment results may be visible to your designated MSP
  • Legal Requirements: When required by law, subpoena, or court order
  • Business Transfers: In connection with any merger, acquisition, or sale of assets

6. Your Rights

You have the right to:

  • Access your personal information
  • Correct inaccurate data
  • Request deletion of your data
  • Revoke access to your Microsoft 365 tenant at any time
  • Export your assessment data
  • Opt out of marketing communications

To exercise these rights, contact us at privacy@trifident.com or use the controls in your account settings.

7. Disconnecting Access

You can revoke O365Validator's access to your Microsoft 365 tenant at any time by:

  1. Going to the Microsoft Entra admin center
  2. Navigating to Enterprise Applications
  3. Finding O365Validator
  4. Clicking "Delete"

This immediately terminates all access to your tenant data.

8. Cookies and Tracking

We use essential cookies required for authentication and session management. We may use analytics cookies to understand how our service is used, with your consent where required by law.

9. Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: