What We Collect, How We Use It, and How Long We Keep It
Praxis Navigator uses the Microsoft Graph API to analyze behavioral metadata from your Microsoft 365 tenant. This page explains exactly what data we access, what we do with it, how long we retain it, and what happens when you leave.
What We Collect
Praxis Navigator requests the following Microsoft Graph API permissions during setup:
All 37 permissions are Application type (not delegated) and read-only. The table below groups them by category. A complete permission-by-permission list with API endpoints is available on our permissions page.
| Category | Permissions | What We Access |
|---|---|---|
| Audit & Sign-in | AuditLog.Read.All | Sign-in activities, authentication logs, and directory audit events |
| Directory & Users | Directory.Read.All, Organization.Read.All, OrgContact.Read.All | User profiles, groups, organizational structure, and contacts |
| Identity Protection | IdentityRiskEvent.Read.All, IdentityRiskyUser.Read.All, RiskPreventionProviders.Read.All | Risk detections, risky sign-ins, and users flagged by Entra ID Protection |
| Security Monitoring | SecurityAlert.Read.All, SecurityEvents.Read.All, SecurityActions.Read.All, SecurityAnalyzedMessage.Read.All, SecurityIdentitiesAccount.Read.All | Security alerts, events, analyzed email metadata, and security identity data |
| Authentication & Policy | AuthenticationContext.Read.All, Policy.Read.All, Reports.Read.All, EventListener.Read.All, IdentityUserFlow.Read.All | Conditional access policies, MFA registration status, and authentication flows |
| Information Protection | InformationProtectionConfig.Read.All, InformationProtectionPolicy.Read.All, ThreatAssessment.Read.All | Data classification labels, protection policies, and threat assessments |
| Compliance | Agreement.Read.All, ResourceSpecificPermissionGrant.Read.All | User agreement acceptances and OAuth permission grants |
| Device & Network | DeviceManagementApps.Read.All, NetworkAccess-Reports.Read.All | Device management audit events and network access reports |
| Usage & Learning | Insights-UserMetric.Read.All, LearningAssignedCourse.Read.All | Collaboration activity metrics and security training completion |
| Administration | DirectoryRecommendations.Read.All, ReportSettings.Read.All, OrgSettings-Microsoft365Install.Read.All | Security recommendations, report settings, and service health |
Important: All permissions are read-only
Praxis Navigator requests read-only access. We do not modify, delete, or create any data in your Microsoft 365 environment.
Data We Don't Access
We share this list so you know exactly what falls outside our access.
- × Email content — We access metadata (sender, recipient, timestamp) but do not access the body or subject of emails.
- × File content — We access sharing metadata (who shared, with whom, when) but do not open or read file contents.
- × Chat messages — We do not access Teams chat content or call recordings.
- × Passwords or credentials — We do not access, store, or transmit user passwords.
- × Browsing history — We do not track web activity or browser usage.
- × Device data — We do not collect device or endpoint information from your environment.
How Data Is Processed
Raw behavioral metadata is pulled from your Microsoft 365 tenant via the Graph API. This data is processed by our behavioral analysis engine, which identifies patterns, builds rolling baselines, and generates risk indicators. The results are aggregated and presented in the Praxis Navigator dashboard and automated reports.
Analysis results are available at both individual and group level. Administrators can view per-employee risk indicators in the dashboard, as well as aggregated summaries across teams and the organisation. Pre-computed views are generated for standard time periods (7-day, 30-day, 90-day, and quarterly). Analysis results contain employee identifiers (name, email) linked to behavioral scores — no raw email content or file content is stored in analysis output.
Data Retention
| Data Type | Storage Tier | Retention |
|---|---|---|
| Current analytics data | Hot (fast access) | 30 days |
| Recent analytics data | Cool (infrequent access) | 180 days from creation |
| Historical analytics data | Archive | Until subscription ends + 90 days |
Data transitions between storage tiers automatically. When data reaches the end of its retention window, it is permanently deleted through automated lifecycle management.
Microsoft's own data retention
Microsoft retains the raw behavioral data in your tenant for a limited time (typically 90–160 days depending on the data type and your Microsoft 365 license). Praxis Navigator captures and analyzes this data during the retention window. Once Microsoft ages out the raw data, it is no longer available from Graph API — but your baselines and analysis in Praxis Navigator are preserved according to your tier's retention policy.
Data Deletion
When you cancel your subscription
- Data collection from your Microsoft 365 tenant stops immediately.
- Your data is retained for 90 days after cancellation to allow for reactivation. During this period, your dashboard remains accessible in read-only mode.
- After the 90-day grace period, your entire resource group — including all analytics data, secrets, and logs — is permanently deleted.
- Deletion is confirmed via Azure Activity Log. Written confirmation is available upon request.
Data deletion requests
You may request deletion of your data at any time by contacting us. Deletion requests are fulfilled by deleting your dedicated resource group, which removes all data from our systems. Requests are processed within 30 days.
Data Residency
Praxis Navigator processes and stores your data in the Microsoft Azure region you select during setup.
| Available Regions | Azure Region |
|---|---|
| European Union | North Europe (Ireland) |
Your data is processed and stored within the selected region. Each customer receives a dedicated, isolated set of Azure resources (storage, compute, key vault, monitoring) within their assigned region.
Third-Party Access
- Praxis Security Labs does not sell, rent, or share customer data with third parties for marketing, advertising, or any purpose unrelated to delivering the service.
- A limited number of subprocessors are involved in delivering the service. See our Subprocessor List for details.
- Customer data is not used to train models, improve Praxis products, or for any purpose beyond delivering the service to that specific customer.
Your Role, Our Role
Under GDPR:
| Role | Entity | Meaning |
|---|---|---|
| Data Controller | You (the customer) | You determine the purposes and means of processing employee data. You decide to use Praxis Navigator and what to do with the insights. |
| Data Processor | Praxis Security Labs | We process data on your behalf, according to your instructions, as defined in our Data Processing Agreement. |
A Data Processing Agreement (DPA) is available on our Resources page. We recommend executing a DPA before onboarding.
Questions
If you have questions about how we handle your data, contact us.