Security & Data Handling
Toolify serves two audiences: organisations that hold Microsoft agreements directly (EA, CSP, and similar), and the partners and consultants who advise them. Both bring sensitive data into this platform — server inventories, license assignments, usage statistics. This page describes exactly how we handle it: what we collect, how it is protected, how long it is retained, and when it is permanently deleted. Nothing is vague by accident.
Infrastructure
- Data location: All data is stored exclusively on servers in the Netherlands (EU). No data is transferred to or processed outside the EU/EEA under any circumstances.
- Encryption in transit: TLS 1.2 or higher is enforced on all connections. Unencrypted HTTP is rejected at the edge and redirected automatically.
- Encryption at rest: AES-256 encryption is applied to all stored data, including database contents and uploaded files.
- Physical security: Servers are hosted in a GDPR-compliant Dutch datacentre with physical access controls and 24/7 facility monitoring.
- Web server: The platform runs on nginx with PHP-FPM, providing full request isolation, worker pool management, and connection limits appropriate for concurrent production traffic.
- Database: All platform data is stored in PostgreSQL, with user-level access controls, network isolation, and connection auditing enforced at the database level.
- Deployment pipeline: All code changes are deployed via an automated CI/CD pipeline — tested, logged, and traceable, with a full audit trail of what is running in production and when it was deployed.
- Staging environment: All changes are validated in a dedicated pre-production environment before reaching real client data.
- Uptime monitoring: All platform domains are monitored continuously with automated alerting on availability, disk usage, and resource thresholds.
Access & Authentication
- Multi-factor authentication: MFA is enforced for all Toolify team (solar_team) and partner accounts. For end clients, MFA is available and strongly recommended, but remains their own responsibility to configure and enforce within their organisation.
- Least-privilege access: Role-based access control (RBAC) is applied across the platform. Each user role — solar_team, partner, client — is scoped to exactly the data and actions it requires, nothing more.
- Named accounts only: No shared or generic accounts exist. Every access event is attributable to a specific named user.
- Audit logging: All data mutations are written to an append-only audit log including who made the change, when, the previous value, and the stated reason. Logs cannot be edited or deleted.
- Session security: Sessions are invalidated on logout, on account expiry, and on account deletion. Trusted device tokens carry an explicit expiry and are purged automatically on a daily schedule.
Data Retention & Deletion
Every piece of data on the Toolify platform has a defined end-of-life. Nothing is retained indefinitely without a stated reason. All purge processes are automated and run on a daily schedule.
GDPR & Data Processing
- Toolify LLC acts as data processor on behalf of its clients, who remain the data controller. This relationship is governed by the DPA included in our Terms of Service (§11).
- All data is stored and processed within the EU/EEA. No transfers outside the EU/EEA take place.
- We do not engage sub-processors without prior client consent.
- Data subject rights requests (access, correction, deletion) are handled within 30 days. Contact: legal@toolify.io
What SOLAR Collects
SOLAR analyses Windows Server, SQL Server, and System Center licensing. The data it processes is technical infrastructure inventory — it contains no personal data about individuals within your organisation.
- Server names, CPU socket counts, physical core counts
- Operating system names and versions
- SQL Server instance names, editions, and versions
- Virtualisation topology (host, cluster, and VM relationships)
- Licence entitlement records you provide (SA status, coverage dates)
Uploaded File Handling
- Files uploaded to SOLAR (RVTools exports, MAP outputs) are stored encrypted and associated with a specific assessment round.
- Uploaded files are permanently deleted — from both the database and disk — when the associated account is purged after the 90-day retention window.
- Partners and solar_team administrators may manually wipe round data at any time, removing both database records and physical files from disk immediately.
- No uploaded file is ever shared with third parties or used beyond the scope of your own assessment.
Assessment Round Lifecycle
- In-progress rounds: Licensing calculations are computed live on every page load from the current dataset. No pre-computed results are stored during an active round.
- Closed rounds: A frozen snapshot of the licensing result is written once at close. The round becomes read-only. Clients cannot reopen a closed round; administrators can unlock if required.
- Audit trail: Every manual change to assessment data — field edits, scope exclusions, open question answers — is written to an append-only audit log with full before/after values, timestamp, and attributed user. This log is included in PDF exports.
- Round deletion: Rounds are not individually deletable by clients. All round data is permanently removed when the parent account is purged after the 90-day retention window.
Microsoft Graph API Access
T365 connects to your Microsoft 365 environment via the Microsoft Graph API using read-only permissions. We request only what is required for licensing and utilisation analysis.
| Permission | Purpose |
|---|---|
| Reports.Read.All | Read Microsoft 365 usage reports — mailbox activity, OneDrive usage, Teams activity, ProPlus activations. Required to identify inactive and over-provisioned users. |
| Directory.Read.All | Read directory objects, license assignments, groups, and tenant configuration. Required to map licenses to users and identify service accounts and shared mailboxes. |
| User.Read.All | Read user profile attributes — display name, UPN, account status, sign-in activity. Required for per-user analysis and inactivity detection. |
| AuditLog.Read.All | Read sign-in and audit activity to identify dormant accounts and verify last-activity dates. |
All permissions are read-only. T365 performs no write operations — no modifications to user accounts, licenses, groups, policies, or tenant settings.
What T365 Does Not Access
T365 is scoped exclusively to licensing metadata, identity, and service utilisation signals. The following data categories are never accessed, requested, or stored:
OAuth Token Handling
- OAuth tokens are stored encrypted and scoped to the connected organisation only.
- Tokens are used exclusively to pull data during scheduled or manually triggered sync runs — never for any other purpose.
- Your organisation can revoke T365's access at any time through Microsoft Entra ID. Revocation takes effect immediately, with no action required on our side.
- When a client connection is removed from T365, all associated tokens are invalidated and deleted immediately.
T365 Data Lifecycle
- Usage data is refreshed on a weekly automated sync. Each sync replaces the previous dataset for that organisation — historical raw data is not accumulated indefinitely.
- When a client connection is removed, all associated usage data — users, mailbox records, license assignments, spending history, and vault files — is permanently deleted after the 90-day retention window via automated purge.
- Aggregate benchmark statistics derived from the analysis are retained anonymously for platform benchmarking. These contain no identifying information.
For organisations with a genuine regulatory, contractual, or internal policy reason requiring data to remain off external infrastructure, Toolify may offer a local delivery model. This is not a standard offering — it is assessed case-by-case, and approval is not guaranteed.
Where approved, the Toolify platform runs on the consultant's own machine rather than the cloud-hosted infrastructure. For T365, data is retrieved directly from your Microsoft 365 environment via Graph API using your own credentials — it is processed locally and never transits Toolify's servers. For SOLAR, inventory files are shared securely by the client and processed locally in the same way. The output — the analysis and report — is delivered directly to you. No client data is retained on Toolify infrastructure at any point.
Reviewed on request, not guaranteed — pricing on application. → Contact us to discuss eligibility
Security questions, vendor assessments, or procurement questionnaires: legal@toolify.io