Privacy policy

SimpleEntra is provided by Zaulich ApS (CVR pending registration). Under GDPR we are a data processor — your organisation (or your MSP) is the data controller. We only process data on instruction from the data controller, documented in the Data Processing Agreement.

We read Microsoft Graph data from your Entra ID tenant via a set of read-only Application permissions. Specifically:

• User metadata (name, UPN, last login, licence, MFA registration status)
• Device metadata (OS, compliance status, last seen)
• Sign-in logs (last 30 days)
• Conditional Access policies
• App registrations + service principals (metadata on secrets, not values)
• Security signals — risky users, risk events

We never read email, calendars, OneDrive files, SharePoint content, Teams messages or any user-generated content. Mail.Send, Mail.Read or similar do not exist in our permission set.

We process personal data on the basis of the Data Processing Agreement with you (data controller), pursuant to art. 28 GDPR. The data controller decides purpose and means. SimpleEntra's purpose is limited to:

• Generating security posture reports
• Identifying configuration risks
• Mapping to compliance frameworks (NIS2, ISO 27001, DORA, CIS)
• Audit trail of findings and actions

All persisted data is stored in Supabase Postgres in AWS eu-central-1 (Frankfurt). It never leaves the EU. Supabase is certified under SOC 2 Type II and HIPAA.

Connections between all components (customer browser → portal → database) are TLS 1.2+. Data at rest is encrypted by Supabase (AES-256 via AWS KMS). Graph tokens are not stored permanently — they are fetched fresh on each call via client credentials flow.

Data is retained for 12 months from the last scan activity. Then an automated job deletes everything — scan results, findings, sign-ins, devices, users. No soft-delete, no shadow copies.

If you delete your tenant manually from the portal, or revoke admin consent in Microsoft Entra, we cascade-delete all associated data immediately.

We use the following third-party processors. The list is exhaustive — there are no others.

• Supabase
  Postgres database + authentication · Region: EU-Frankfurt · Scope: all persisted customer data · DPA via Supabase
• Microsoft Graph
  Read-only data collection from your tenant's region · Transient — data processed in transit
• Anthropic (optional, off by default)
  AI explanations per finding if enabled by data controller · Scope: finding title and description only · Never user data · Anthropic does not train on business API calls
• Vercel
  Hosting of portal frontend · Region: Frankfurt (fra1) · Processes no customer data persistently — request/response stream only

Our full scan uses Maester — an open source PowerShell module for Microsoft 365 security testing. It runs locally in our environment; no customer data is sent to the Maester project or external Maester services. Maester is licensed under MIT.

We also map to CIS Microsoft 365 Benchmarks, CISA SCuBA and EIDSCA — publicly available standards. We do not invent our own controls.

Our DPA is based on the Danish Data Protection Authority's standard template and can be signed within 24 hours of enquiry. It is a mandatory prerequisite for production use. Contact us for a copy.

As a data subject you have the right to:

• Access your data (art. 15)
• Rectification of incorrect data (art. 16)
• Erasure (“right to be forgotten”, art. 17)
• Restriction of processing (art. 18)
• Data portability (art. 20)
• Objection (art. 21)

Requests about these rights are handled primarily by the data controller (your MSP or organisation). For technical questions about what data SimpleEntra holds, contact us directly — see below.

We use no tracking cookies on simpleentra.dk. No Google Analytics, no Meta Pixel, no advertising trackers. If we add analytics later, we will use a privacy-first solution (Plausible or similar) and update this page.

The demo portal dev.portal.simpleentra.dk/demo sets one technical cookie (simpleentra_demo) to give you access to the demo tenant. It expires after 4 hours.

If we discover a personal data breach involving your data, we will notify the data controller without undue delay — at the latest 24 hours after we become aware. The notification will include the nature of the breach, categories and approximate number of affected individuals, consequences, and remedial measures.

Questions about data handling, DPA, deletion or rights:

Mads Zaulich
Zaulich ApS
mail@zaulich.dk

Complaints can also be submitted to the Danish Data Protection Authority (datatilsynet.dk).