Get Customised Security Posture Templates Tailored to your Needs - Join our Early Adopter Program

Data Security

Last updated: Oct 21, 2020

This section gives an overview of how Octiga obtains, processes, and stores data from your Microsoft 365 tenant. 

At the bottom we summarise GDPR related information. For detailed information please read our Privacy Policy

Deployment Architecture

As discussed above, our solution is a standard SaaS (Software as a Service) solution deployed in the cloud on our cloud servers.  At present, we have a single instance residing in Ireland on AWS (Amazon web services).  We will deploy in other jurisdictions as required. We are considering an Azure Deployment and welcome potential clients to speak to us on deployment and data sovereignty requirements. 

Interfaces 

For the purposes of this Privacy Policy:Our service connects directly to the client’s 365 tenant through multiple Microsoft interfaces and uses a dedicated Octiga service user for authentication.  The service user is created upon first connecting our App (our service) with your tenant during the one-click sign-up.  The service uses multiple interfaces to gather data and make configuration changes in the client’s tenant.  These include: 

  • Exchange Online (PowerShell) 
  • Azure AD (PowerShell)  
  • Microsoft Online (PowerShell) 
  • SharePoint Online (PowerShell) 
  • OneDrive Online (PowerShell) 
  • Microsoft Graph (REST) 
  • Microsoft Management API (REST) 

Data 

Octiga process and store data only for the intended purposes of cybersecurity services on clients 365 tenant.  We use this data to infer security incidents and tenant security configurations only 

The data includes: 

  • Some Tenant Configuration data such as configuration settings 
  • System Events (Audit Log Events) and their associated metadata.   

Octiga does not store or process any company documents, employee communications, or emails.   

Security 

Octiga have taken utmost care to ensure client data, where required to be processed or stored, is done so to the highest security standards and using modern security techniques.  The following provides some details on this.  Further details can be made available upon request. 

Octiga employs a dedicated multi-tier security architecture within the cloud to ensure client data security is reasonably maximised at all points of processing and storage.   

The Service Users credentials are doubly encrypted (at rest and at application level). They are restricted from internal access to only a handful of necessary Octiga employees. The containers that utilise the Service Users are isolated from the rest of our systems on a dedicated Virtual Private Cloud (VPC), this VPC is separate from our main private VPC, which in turn is behind our public-facing VPC. 

All data is encrypted at rest.  All data transfer, both internally and externally, is over secure encrypted channels.   

Each client’s data is processed within the utmost tenant isolation.  This is achieved using lambda functions and through the allocation of a dedicated, on-demand, operating system containers (docker containers) per tenant, where lambda functions are not applicable, for example in the interfacing and processing of PowerShell calls. 

GDPR and Personally Identifiable Information 

System events and in some limited cases, configuration data, may include some personal identifiable Information (PII) such as:  

  • User Principal Name (UPN), which is the email address, of the user who triggered an audit event.   
  • Name and Address of Users (as part of their mailbox metadata) 
  • IP address of the user/actor who triggered the event 

This data is extracted from Microsoft interfaces during data processing for the purpose of cybersecurity services.  The only pieces of PII that we store is the UPN and IP address.  These are required for on-demand security analysis.   

Further information regarding privacy can be found in our Privacy Policy @  https://octiga.io/privacy