Privacy Policy

Last updated: July 2025

1. Overview

AppConfig² is designed with privacy in mind. We do not store personal data on our servers and operate entirely within your Microsoft Entra ID environment. This policy explains how we handle information during your use of our service.

Key Privacy Principle: AppConfig² processes data temporarily for functionality purposes but does not permanently store user data outside your Microsoft Entra ID tenant.

2. Information AppConfig² Accesses

To provide its functionality, AppConfig² requires access to certain information within your Microsoft Entra ID tenant:

2.1 Authentication Information

  • User identity and basic profile information (name, email, tenant ID)
  • Authentication tokens for Microsoft Graph API access
  • User roles and permissions within your organization

2.2 Application Data

  • Application registrations and their configurations
  • API permissions and consent information
  • Authentication settings and redirect URIs
  • Claims mapping policies and directory extensions
  • Application secrets metadata (not the actual secret values)

2.3 Directory Information

  • User and group information for provisioning features
  • Conditional access policies and their assignments
  • Directory schema and extension attributes

3. Local Data Storage & Caching

AppConfig² uses your browser's local storage to improve performance and user experience:

3.1 Cached Information

  • Application metadata: Names, IDs, and basic configuration data (cached for up to 5 minutes)
  • User preferences: UI settings, filter selections, and pagination preferences
  • Ownership data: Application ownership information for permission management
  • Service principal mappings: For identifying application types and configurations

3.2 Cache Management

  • Cache data is automatically purged every 5 minutes
  • All cached data is cleared when you log out
  • You can manually clear cache through browser settings
  • No cached data is transmitted to our servers

4. How We Use Your Information

Information accessed by AppConfig² is used solely for the following purposes:

4.1 Core Functionality

  • Displaying and managing your Microsoft Entra ID applications
  • Testing authentication flows and analyzing tokens
  • Creating and restoring application configuration backups
  • Providing user and permission management capabilities

4.2 Performance Optimization

  • Caching frequently accessed data to reduce API calls
  • Maintaining session state for seamless user experience
  • Batching API requests to improve response times

4.3 Security & Access Control

  • Verifying user permissions and organizational access
  • Implementing tenant allowlist security controls
  • Monitoring for unauthorized access attempts

Important: No personally identifiable information is stored permanently or shared with third parties.

5. Data Transmission & Security

AppConfig² implements security best practices for data handling:

5.1 Encryption

  • All data transmission uses HTTPS/TLS encryption
  • Authentication tokens are handled securely and never logged
  • Local cache data is stored in browser's secure storage

5.2 Access Controls

  • Tenant allowlist system prevents unauthorized organizational access
  • Role-based access control respects your Entra ID permissions
  • Session timeouts and automatic logout for inactive sessions

5.3 API Security

  • All Microsoft Graph API calls use your authenticated session
  • API requests are limited to necessary scopes and permissions
  • Rate limiting and error handling to prevent abuse

6. Third-Party Services

AppConfig² integrates with Microsoft services only:

  • Microsoft Entra ID: For authentication and identity management
  • Microsoft Graph API: For accessing and managing directory data
  • Azure hosting services: For application hosting and delivery

No other third-party services have access to your data or authentication information.

7. Data Retention & Deletion

AppConfig² follows a minimal data retention approach:

7.1 No Permanent Storage

  • No user data is permanently stored on AppConfig² servers
  • Session data is purged when sessions end
  • Application configurations are accessed in real-time from your Entra ID

7.2 Local Data Cleanup

  • Browser cache is automatically cleared every 5 minutes
  • Logout process removes all cached data
  • Browser closure may retain cache until next cleanup cycle

7.3 User Control

  • Users can revoke access permissions at any time via Microsoft Entra Admin Center
  • Administrators can remove tenant access by contacting support
  • Browser cache can be manually cleared through browser settings

8. Your Rights & Control

You maintain full control over your data when using AppConfig²:

8.1 Access Control

  • Manage access permissions through Microsoft Entra ID admin center
  • Revoke application consent at any time
  • Control which users in your organization can access AppConfig²

8.2 Data Portability

  • All data remains in your Microsoft Entra ID tenant
  • No vendor lock-in or proprietary data formats
  • Standard Microsoft Graph API access for data export

8.3 Transparency

  • Request information about data processing activities
  • Receive notifications of any material changes to data handling
  • Contact support for privacy-related questions or concerns

9. Compliance & Regulatory Information

AppConfig² is designed to support compliance with major privacy regulations:

9.1 GDPR Compliance

  • Minimal data processing principle
  • No cross-border data transfers (data remains in your tenant)
  • User rights to access, rectify, and erase data
  • Data Protection Impact Assessment available upon request

9.2 Microsoft Trust Center

  • Builds on Microsoft's security and compliance foundation
  • Inherits Microsoft Entra ID's compliance certifications
  • Follows Microsoft's privacy and security standards

10. Changes to Privacy Policy

We may update this Privacy Policy periodically to reflect:

  • Changes in AppConfig² functionality or features
  • Updates to privacy regulations or compliance requirements
  • Improvements to our privacy practices

Significant changes will be communicated through:

  • In-application notifications
  • Email notifications to tenant administrators
  • Updates posted on our website

Continued use of AppConfig² after such updates constitutes acceptance of the revised Privacy Policy.

11. Contact & Data Protection Officer

For any privacy-related concerns, questions, or requests, please contact us:

For data subjects in the EU, you have the right to lodge a complaint with your local supervisory authority if you believe your privacy rights have been violated.