Security and trust
Security and tenant boundaries, by design
Policytab manages Conditional Access for a living. We hold our own platform to the same bar: scoped tenant access, protected credentials, auditable changes, and documentation you can forward to procurement.
Tenant access boundaries
Policytab workspaces serve MSPs and internal IT teams managing one or many Entra tenants. The app enforces workspace ownership on the server before tenant-scoped reads or writes. This is standard multi-tenant SaaS scoping, not a substitute for your own access reviews or contractual obligations with data subjects.
Credentials & encryption
Each connected tenant uses a single-tenant Entra app registration in that customer directory. Credentials you provide are encrypted at rest and sent over TLS. Policytab does not use a shared multitenant OAuth app for onboarding. Backend service-role access is used only after the tenant ownership check passes for that request.
Auditability & CA changes
Administrative actions in Policytab are recorded in an append-only audit log. Conditional Access mutations go through dry-run validation, optional second-admin approval, pre/post snapshots, and rollback - not direct portal-style edits from our UI.
Consent & subprocessors
Onboarding connects via app registrations in each customer Entra tenant (application permissions + admin consent there). There is no platform-wide multitenant consent URL. Production hosting defaults to AWS ca-central-1. Subprocessors are listed in the Privacy Policy; enterprise data-processing terms are in our DPA.
Early access
Policytab is in early access and not yet SOC 2 certified. We can share architecture documentation and answers to security questionnaires - typically within one business day. Enterprise workspaces can request a countersigned DPA via contact. Marketing pages use cookieless Vercel Web Analytics only - no advertising cookies.
Data residency
Production hosting defaults to AWS ca-central-1. Contact us for a specific region or a completed security questionnaire.
For security reviewers
Start with the Privacy Policy and Terms. Product onboarding is on /docs. Enterprise workspaces can request a countersigned DPA via contact.