Data Access Architecture
OpexSnip connects to your Microsoft 365 tenant via read-only API. We access only the data strictly required to quantify inactive capital. We never request, hold, or exercise write access to any client system.
| Property | Specification |
|---|
| Access Model | Read-only OAuth 2.0 tokens. Zero write permissions requested or granted across all instances. |
| App Registration | Single-tenant. Client registers the app in their own Azure AD tenant — OpexSnip never has multi-tenant access. |
| Required Permissions | Reports.Read.All · User.Read.All · Directory.Read.All — minimum viable footprint, universally read-only. |
| Data Residency | All telemetry processed and stored in-region (US-East). No cross-border transfer of PII. |
| PII Exposure | OpexSnip ingests license metadata and usage timestamps only. Absolute zero access to email, files, or user communications. |
| Token Storage | API credentials stored in an encrypted vault (AES-256). Rotated every 90 days. Client-revocable at any moment. |
| Raw Data Handling | Raw Microsoft 365 usage data is processed in-memory and never written to disk. Only computed waste outcomes are stored. |
The Access Boundary
✓ What OpexSnip Accesses
·License assignment configurations
·Last sign-in timestamp per user
·User display name and department
·Aggregated activity statistics
·License SKU and product metadata
✗ What OpexSnip Never Accesses
·Email content or routing metadata
·Calendar data or meeting structures
·SharePoint or OneDrive files
·Teams messages or chat history
·Personal communications of any mechanism
Encryption & Transmission
| Property | Specification |
|---|
| Data in Transit | TLS 1.3 enforced on all API connections. TLS 1.2 minimum accepted limit. |
| Data at Rest | AES-256 encryption across all storage components and database rows. |
| CSV Upload Files | Auto-eradicated from storage within 1 hour of successful processing. Never persisted. |
| Board-Ready PDF Reports | Stored in private silo. Accessible via signed URLs only — never publicly exposed. |
| Backup Policy | Encrypted daily snapshots. 30-day retention. Disaster recovery RTO: 4 hours. |
Compliance Frameworks
| Standard | Status | Verification |
|---|
| SOC 2 Type II |
In Progress |
Vanta compliance protocol active. Target completion: Q4 2026. Executive report available under NDA. |
| ISO 27001 |
In Progress |
Controls mapped strictly to ISO 27001 Annex A. Formal external audit scheduled Q3 2026. |
| GDPR |
Aligned |
Data Processing Agreement (DPA) available for EU engagements. Zero external sale of client data. |
| CCPA |
Aligned |
California Consumer Privacy Act integrity maintained. No data trading or broker exchanges. |
| HIPAA |
BAA Available |
Business Associate Agreement available for healthcare clients, despite PHI access implicitly bypassed by protocol. |