Toolify serves two audiences: organisations that hold Microsoft agreements directly (EA, CSP, and similar), and the partners and consultants who advise them. Both bring sensitive data into this platform — server inventories, license assignments, usage statistics. This page describes exactly how we handle it: what we collect, how it is protected, how long it is retained, and when it is permanently deleted. Nothing is vague by accident.

Platform-wide SOLAR T365
Platform-wide

Infrastructure


Platform-wide

Access & Authentication


Platform-wide

Data Retention & Deletion

Every piece of data on the Toolify platform has a defined end-of-life. Nothing is retained indefinitely without a stated reason. All purge processes are automated and run on a daily schedule.

Day 0
Data ingested Data is collected — via Microsoft Graph API (T365) or file upload (SOLAR) — and processed to produce licensing analysis.
Day 7
Snapshot raw data purged For M365 Snapshot prospects: raw Graph API data is permanently deleted 7 days after the analysis completes. Only aggregate results are retained for benchmarking — no identifying information is kept.
Ongoing
Vault files managed automatically Encrypted analysis output files (written per sync job per client connection) are managed on a rolling schedule to prevent unbounded growth. Per job type, per client: the 4 most recent weekly runs are kept in full; beyond 4 weeks, only the first run of each of the last 2 months is retained; everything older is permanently deleted. At steady state this caps at 6 files per job type per client, regardless of subscription length. When a client connection is removed, all remaining vault files are deleted as part of the 90-day purge cycle.
On removal
Client connection disconnected When a client's Microsoft 365 connection is removed from T365, the connection record is soft-deleted immediately. All associated usage data enters a 90-day retention window before permanent deletion.
+90 days
Account permanently deleted On subscription expiry or cancellation, the account enters a 90-day retention window. At the end of this window, all account data is permanently and irreversibly deleted — rounds, server records, uploaded files on disk, licensing analysis, and client connection data. This runs automatically every day at 03:00.

Platform-wide

GDPR & Data Processing


SOLAR

What SOLAR Collects

SOLAR analyses Windows Server, SQL Server, and System Center licensing. The data it processes is technical infrastructure inventory — it contains no personal data about individuals within your organisation.


SOLAR

Uploaded File Handling


SOLAR

Assessment Round Lifecycle


T365

Microsoft Graph API Access

T365 connects to your Microsoft 365 environment via the Microsoft Graph API using read-only permissions. We request only what is required for licensing and utilisation analysis.

PermissionPurpose
Reports.Read.All Read Microsoft 365 usage reports — mailbox activity, OneDrive usage, Teams activity, ProPlus activations. Required to identify inactive and over-provisioned users.
Directory.Read.All Read directory objects, license assignments, groups, and tenant configuration. Required to map licenses to users and identify service accounts and shared mailboxes.
User.Read.All Read user profile attributes — display name, UPN, account status, sign-in activity. Required for per-user analysis and inactivity detection.
AuditLog.Read.All Read sign-in and audit activity to identify dormant accounts and verify last-activity dates.

All permissions are read-only. T365 performs no write operations — no modifications to user accounts, licenses, groups, policies, or tenant settings.


T365

What T365 Does Not Access

T365 is scoped exclusively to licensing metadata, identity, and service utilisation signals. The following data categories are never accessed, requested, or stored:

Email content
Email attachments
Teams chat messages
Teams channel conversations
Voicemail content
SharePoint documents
OneDrive files
Document contents
Meeting recordings
Meeting transcripts
Calendar content
ERP / CRM data
Financial information
Customer records
Database contents
Business application data

T365

OAuth Token Handling


T365

T365 Data Lifecycle


By exception only Local Delivery Option

For organisations with a genuine regulatory, contractual, or internal policy reason requiring data to remain off external infrastructure, Toolify may offer a local delivery model. This is not a standard offering — it is assessed case-by-case, and approval is not guaranteed.

Where approved, the Toolify platform runs on the consultant's own machine rather than the cloud-hosted infrastructure. For T365, data is retrieved directly from your Microsoft 365 environment via Graph API using your own credentials — it is processed locally and never transits Toolify's servers. For SOLAR, inventory files are shared securely by the client and processed locally in the same way. The output — the analysis and report — is delivered directly to you. No client data is retained on Toolify infrastructure at any point.

Reviewed on request, not guaranteed — pricing on application.  →  Contact us to discuss eligibility

Security questions, vendor assessments, or procurement questionnaires: legal@toolify.io