Security & Trust

CYBERWHITE protects your data with robust security practices

Our Security Commitments

Encryption

TLS 1.3 in transit, AES-256 at rest

Access Control

Role-based access control with secure authentication

Infrastructure

AWS Sydney (Australia) enterprise cloud hosting

Audit Logging

Comprehensive activity logging and audit trails

Data Privacy

Your data stays yours, not sold to third parties

Compliance

Built with SOC 2 Type II controls in mind

Microsoft 365 Integration Security

We understand M365 integration security is critical. Here's how we protect your Microsoft environment:

Microsoft OAuth 2.0

Authentication happens directly with Microsoft - we never see or store your Microsoft credentials. You control access through your Azure AD tenant.

Two-Tier Consent Model

Security scanning uses read-only access by default. If you choose to enable automated remediation, a separate explicit consent step is required — you always see exactly what permissions are being requested.

Least Privilege Access

We request only the minimum permissions needed for each function. Scanning requires only read access to security configurations. Write permissions are never granted without a separate, deliberate consent step. No access to emails, documents, or personal user data.

Revocable Anytime

You maintain full control. Revoke CYBERWHITE's access at any time through your Azure AD portal - no data loss, just disconnection.

Secure Token Storage

OAuth tokens are encrypted at rest and in transit. Read and write tokens are stored separately with independent expiry. Tokens are never logged or exposed in application code.

Admin Consent Required

Only Global Administrators can authorize the M365 connection, ensuring proper oversight and approval workflows in your organization.

Security Features

Encryption at Rest and Transit: AES-256 encryption at rest, TLS 1.3 for all data in transit

Comprehensive Audit Logging: Activity logs for authentication, data access, and system changes with compliance tagging (ISO27001, SOC2, GDPR)

Multi-Tenant Data Isolation: Tenant data isolation ensures your data never mixes with other organizations

Daily Automated Backups: Daily encrypted backups with 7-day retention and point-in-time recovery

OAuth Security: Microsoft 365 integration uses OAuth 2.0 with least privilege access and a two-tier consent model separating read and write permissions

Security-First Development: Secure development practices with code reviews and testing

Data Retention Control: Configure how long your assessment data is retained

Australian Data Sovereignty: All data hosted in AWS Sydney with compliance to Australian privacy laws

Common Security Questions

Can CYBERWHITE modify my Microsoft 365 environment?

Not without your explicit permission. Security scanning is read-only by default. Automated remediation features require a separate consent step where you grant specific write permissions. You can revoke write access at any time without affecting scanning.

Who can see my assessment data?

Only authorized users in your organization. For MSPs, only assigned consultants can access client data. Data is never shared with third parties.

Where is my data stored?

Data is hosted in AWS Sydney, Australia (ap-southeast-2 region) with enterprise-grade security and encryption at rest. This ensures low latency for APAC customers and compliance with Australian data sovereignty requirements.

How do I disconnect M365 integration?

Revoke access anytime through Azure AD Enterprise Applications or within CYBERWHITE settings. Historical assessment data remains until you delete it.

Is CYBERWHITE SOC 2 compliant?

CYBERWHITE is built with SOC 2 Type II controls in mind. Contact us for our current compliance status and documentation.

Questions About Security?

Contact our security team for detailed documentation, compliance reports, or custom security requirements