Security & Trust Center

Security at AzureProof

We help companies pass SOC2. We take our own security at least as seriously as we expect our customers to take theirs.

Our commitments Contact security team

Our commitments

How we protect you.

Security is not a feature — it is the foundation of everything we build.

Read-only access

We can never modify your Azure tenant. Our service principal is scoped to read-only roles only.

Encryption at rest

All secrets and sensitive data are encrypted with AES-256. Database volumes are encrypted by our hosting provider.

Encryption in transit

TLS 1.2+ everywhere. All API calls, webhooks, and dashboard traffic are served over HTTPS.

No data exfiltration

We store evidence metadata and configuration snapshots, not your actual Azure data or customer records.

Audit logging

Every action is logged with actor, timestamp, IP, and user agent. Logs are retained for 12 months.

MFA required

Multi-factor authentication is enforced for every member of our team accessing production systems.

Permissions we request

Least-privilege access.

Every permission has a purpose. If we do not need it, we do not ask for it.

Permission	Scope	Why we need it	What we do NOT do
Reader	Subscription	Read resource configurations, tags, and metadata for evidence collection.	We never create, update, or delete any Azure resource.
Security Reader	Subscription	Read security posture from Microsoft Defender for Cloud and security policies.	We never modify security settings or alerts.
Directory Reader	Tenant	Read Entra ID users, groups, roles, and conditional access policies for identity controls.	We never create, update, or delete users, groups, or policies.
Storage Blob Data Reader	Storage account	Read storage configuration and encryption settings for data-at-rest evidence.	We never read your actual blob content or customer data.

Compliance

Certifications & frameworks.

SOC2 Type IIIn progress

Controls are implemented. Audit scheduled for Q4.

ISO 27001On roadmap

Planned for 2026.

GDPRCompliant

Data processing agreements in place. Right-to-erasure supported.

Subprocessors

Who we rely on.

We only use processors that meet our security bar and offer signed DPAs.

Name	Purpose	Location	DPA
Supabase	Database hosting, authentication	US East (N. Virginia)	View DPA
Stripe	Billing, subscription management	US	View DPA
Resend	Transactional email delivery	US	View DPA
Cloudflare	DNS, CDN, DDoS protection	Global	View DPA

Responsible disclosure

Found something?

We welcome responsible security research and will respond to all reports within 48 hours.

How to report

Email us at security@azureproof.com. Include a clear description of the issue, steps to reproduce, and the potential impact. We ask that you give us 90 days to remediate before any public disclosure.

Our promise

Acknowledge receipt within 48 hours
Keep you informed during remediation
Publicly credit you if you wish (with your permission)
No legal action for good-faith research

Contact

Get in touch.

Security questions

security@azureproof.com

For vulnerability reports, incident response, and security inquiries.

Security questionnaire

sales@azureproof.com

Want a copy of our security questionnaire or latest pentest report? Email us.