Security and data protection

Do you have access to our data?

Let's look at this question in terms of three main data types:

Your internal corporate data

We deliberately maintain very little access to your corporate data. In fact, we have no access to information stored within your Microsoft environment. We cannot see or change anything in your Microsoft data stores, including OneDrive for Business, SharePoint Online, or Microsoft Teams. Your internal data remains under your control and within your security boundary.

From an internal access perspective, Cloud Drive Mapper (CDM) uses delegated Microsoft Entra ID enterprise application permissions, meaning the only people who can use CDM to access your tenancy data are your users. Technically, your users can't do anything new with CDM that they cannot do via a web browser or the OneDrive Sync client.

Your personal data

As a service provider, IAM Cloud is a Data Processor; we ingest and process a minimal amount of personal data supplied by you (the Data Controller) to support our services. The CDM cloud service itself does not process or store personal data. However, we may use personal data in the following ways:

• We validate the legitimacy of each user via their Microsoft 365 UPN/email address. Once processed, this data is immediately deleted and never persisted in our systems or logs

• Iris uses both name and email addresses to identify admins. If you don't wish to submit Personally Identifiable Information (PII) as part of your customer setup in Iris, then you can use generic identifiers like IT Admin

By minimizing personal data usage as much as possible, we also aim to control the risk of data breach: less personal data, less risk of exposure, and less impact of compromise. Our Data Protection Agreement provides further details on personal data usage and processing.

Your service or application-generated data

Access to the remaining service-related data within our cloud systems is limited to a very small number of IAM Cloud support personnel and senior operations staff. This data relates to your organization and tenancy and includes your organization name, cloud drive names, and URLs. We follow a role-based access control (RBAC) model that conforms to the principle of least privilege. Access to production resources is conditional on multifactor authentication (MFA) and a secure VPN connection.

Is my data encrypted?

We protect your data in the following ways:

Data exchanged with Microsoft

Similar to a web browser, CDM establishes a private, secure HTTPS connection with Microsoft 365. We use Transport Layer Security (TLS) 1.2 to encrypt traffic traveling over this connection.

Data exchanged with the CDM cloud service

Application data transmitted between the CDM client and our Azure-hosted cloud is also protected using a TLS-encrypted HTTPS connection. In addition, we have implemented client-side column layer encryption using the SQL Always Encrypted feature. This automatically encrypts sensitive data fields (authentication and connection information), adding further protection against network threats.

Data at rest within the IAM Cloud perimeter

IAM Cloud uses Microsoft Azure SQL for database operations. Data at rest is protected using an industry-standard AES algorithm applied using the MS-managed Transparent Data Encryption service.

Data in motion within the IAM Cloud perimeter

Data traveling within a geographic region or across regions (non-PII) is encrypted using TLS 1.2 at a minimum.

Are you GDPR compliant?

Our data protection concept conforms to the requirements of the EU GDPR and country-specific legislation such as the UK Data Protection Act. We have strict data architecture principles, meaning the minimal amount of personal data we collect remains in the region of origin, including during potential Disaster Recovery events. As the Data Controller, submission of personal data remains entirely at your discretion, and this data is used by Iris only. Our Data Protection Agreement and data protection measures apply to all our customers, irrespective of their location.