Security & Trust

CYBERWHITE protects your data with AES-256 encryption at rest, JWT auth with HttpOnly cookies, and server-side tenant isolation enforced on every API call

Our Security Commitments

Encryption

TLS 1.3 in transit, AES-256 at rest

Access Control

Role-based access control with secure authentication

Infrastructure

AWS Sydney (Australia) enterprise cloud hosting

Audit Logging

Every API call + change logged with timestamp, actor and tenant ID

Data Privacy

Your data stays yours, not sold to third parties

Compliance

Built with SOC 2 Type II controls in mind

Microsoft 365 Integration Security

We understand M365 integration security is critical. Here's how we protect your Microsoft environment:

Microsoft OAuth 2.0

Authentication happens directly with Microsoft - we never see or store your Microsoft credentials. You control access through your Azure AD tenant.

You Control Every Change

CYBERWHITE never deploys a policy automatically. Every AutoFix requires a consultant to click deploy on a specific recommendation. Conditional Access policies start in report-only mode for 24-48 hours so you see the impact before enforcing. One-click rollback to the exact prior state, anytime.

Least Privilege Access

We request only the minimum permissions needed for each function. Scanning requires only read access to security configurations. Write permissions are never granted without a separate, deliberate consent step. No access to emails, documents, or personal user data.

Revocable Anytime

You maintain full control. Revoke CYBERWHITE's access at any time through your Azure AD portal - no data loss, just disconnection.

Secure Token Storage

OAuth tokens are encrypted at rest and in transit. Read and write tokens are stored separately with independent expiry. Tokens are never logged or exposed in application code.

Admin Consent Required

Only Global Administrators can authorize the M365 connection, ensuring proper oversight and approval workflows in your organization.

Security Features

Encryption at Rest and Transit: AES-256 encryption at rest, TLS 1.3 for all data in transit

Audit Logging: Activity logs for authentication, data access, and system changes. Events relevant to ISO 27001 and SOC 2 controls are tagged at write time for downstream audit reporting.

Multi-Tenant Data Isolation: Tenant data isolation ensures your data never mixes with other organizations

Daily Automated Backups: Daily encrypted backups with 7-day retention and point-in-time recovery

OAuth Security: Microsoft 365 integration uses OAuth 2.0 with least-privilege scopes. Write permissions are requested at connect but never exercised until a consultant clicks deploy on a specific AutoFix recommendation.

Security-First Development: Secure development practices with code reviews and testing

Audit Log Retention: Tiered retention policies (standard, extended, permanent) for security and compliance audit trails. Customer data deletion available on written request.

Australian Data Sovereignty: All data hosted in AWS Sydney with compliance to Australian privacy laws

Common Security Questions

Can CYBERWHITE modify my Microsoft 365 environment?

Not without your explicit permission. Security scanning is read-only by default. Automated remediation features require a separate consent step where you grant specific write permissions. You can revoke write access at any time without affecting scanning.

Who can see my assessment data?

Only authorized users in your organization. For MSPs, only assigned consultants can access client data. Data is never shared with third parties.

Where is my data stored?

Data is hosted in AWS Sydney, Australia (ap-southeast-2 region) with enterprise-grade security and encryption at rest. This ensures low latency for APAC customers and compliance with Australian data sovereignty requirements.

How do I disconnect M365 integration?

Revoke access anytime through Azure AD Enterprise Applications or within CYBERWHITE settings. Historical assessment data remains until you delete it.

Is CYBERWHITE SOC 2 compliant?

CYBERWHITE is built with SOC 2 Type II controls in mind. Contact us for our current compliance status and documentation.

Australian-Owned and Continuously Hardened

CYBERWHITE is built in Australia, governed by Australian law, and runs an active security-hardening programme on the platform itself.

Australian Entity

ABN 31 598 198 475

Australian Privacy Principles (APPs) compliant. Australian Consumer Law governs the customer agreement.

DSI SMB1001

Licensed commercial holder

Authorised by the Digital Security Institute to deliver SMB1001 assessments and certifications under the DSI 2026 specification.

Hardening Programme

9 of 10 fixes shipped

Continuous security review by Snyk, CodeQL, Semgrep, and ZAP in CI. Most recent: PR #42 added HMAC-verified setup tokens for the welcome-email flow.

Questions About Security?

Contact our security team for detailed documentation, compliance reports, or custom security requirements