How We Protect Your Data
Praxis Navigator connects to your Microsoft 365 environment via the Microsoft Graph API to analyze employee security behaviors. We request read-only access to behavioral metadata. We do not modify your data, access message contents, or store credentials.
This page describes the security architecture, encryption, access controls, and operational practices that protect your information.
Architecture
How it works
Praxis Navigator requests read-only access to your Microsoft 365 tenant through the Microsoft Graph API. We analyze behavioral metadata — patterns like file sharing frequency, external collaboration, and email routing — to build security behavior baselines. The analysis runs on Microsoft Azure infrastructure, and results are presented in the Praxis Navigator dashboard.
Microsoft Azure
What we don't do
- × We do not read email content or message bodies
- × We do not access file contents
- × We do not store user passwords or credentials
- × We do not modify any data in your Microsoft 365 environment
- × We do not send emails, messages, or notifications to your employees
Encryption
Data in transit
All communications between your Microsoft 365 tenant, the Praxis processing layer, and your browser are encrypted using TLS 1.2 or higher. API calls to Microsoft Graph use Microsoft's standard OAuth 2.0 authentication flow over HTTPS.
Data at rest
All customer data stored in the Praxis platform is encrypted at rest using AES-256 encryption. Encryption keys for storage and database services are managed by Microsoft (Microsoft-managed keys). Secrets and sensitive configuration are stored in Azure Key Vault with HSM-backed protection.
Infrastructure
Praxis Navigator is hosted entirely on Microsoft Azure.
| Element | Detail |
|---|---|
| Cloud provider | Microsoft Azure |
| Available regions | North Europe (Ireland) |
| Data residency | Customer data is processed and stored within the Azure region selected during setup. |
| Self-hosted infrastructure | None. Praxis does not operate on-premises servers or private data centers. All infrastructure is Azure-managed. |
Access Controls
Customer data access at Praxis
Access to customer data within Praxis Security Labs is restricted on a need-to-know basis.
- Only authorized engineering and support personnel can access customer environments, and only for the purpose of troubleshooting or support requests initiated by the customer.
- All access to customer data is logged and auditable.
- Access to infrastructure is provisioned through Azure RBAC with managed identities for service-to-service communication. Credentials are stored in Azure Key Vault and rotated at minimum annually.
- All team members use multi-factor authentication for Azure Portal, GitHub, and Microsoft 365.
Customer-side access
Access to the Praxis Navigator dashboard is managed through Microsoft Entra ID (Azure AD) security groups. Your administrators control who has access by managing group membership in your own Entra ID tenant. See Technical Specifications for details.
Vulnerability Management
- Dependencies are monitored for known vulnerabilities using Dependabot, with automated pull requests for affected packages across all repositories.
- GitHub secret scanning is enabled on all repositories. Commits containing credentials are blocked before push.
- All deployments pass a 4-layer validation suite (build, logs, algorithms, error scenarios) before reaching production.
Incident Response
Praxis Security Labs maintains an incident response process to detect, contain, and resolve security incidents.
| Element | Commitment |
|---|---|
| Detection | Automated monitoring via Application Insights alerts, active health-check polling, and dead-letter queue monitoring. Manual detection through team observation and customer reports. |
| Customer notification | For critical incidents (SEV-1), affected customers are notified within 24 hours of confirmation. For incidents involving personal data, notification is provided within 72 hours, in line with GDPR Article 33. |
| Communication channel | Email to the customer's registered admin contact. Legal review by external board member for all critical incidents before notification is sent. |
| Post-incident | Post-incident review conducted within 5 business days of resolution. Root cause analysis shared with affected customers upon request. |
Employee Security
- All team members use company-owned devices with full disk encryption (FileVault) and host-based firewalls enabled.
- Multi-factor authentication is required for all critical services, including Azure Portal, GitHub, and Microsoft 365.
- Team members attest compliance with the endpoint security policy at onboarding, when setting up a new device, and during semi-annual policy reviews.
- Access to all internal systems, including Azure, GitHub, and Microsoft 365, is revoked immediately upon an employee's departure.
Questions
If you have security questions not covered here, or need to conduct a security review, contact us.
For downloadable security documentation, including our security whitepaper and pre-filled security questionnaires, visit Downloads & Resources.