Security Model
Maintained by: Aether365 Team Audience: Security teams and IT administrators Scope: Tenant isolation, data protection, and permission model
This page describes how Aether365 protects your data, what access it has to your Microsoft 365 environment, and the architectural decisions made to keep your tenant data safe.
Authentication and Access
How Aether365 Accesses Your Tenant
Aether365 accesses your Microsoft 365 tenant as a multi-tenant application registered in Microsoft Entra ID. When you grant admin consent, a service principal is created in your tenant. Aether365 then authenticates using its own application credentials (client ID and client secret) - not using any user account credentials.
This means:
- No user passwords are stored
- No delegated permissions are granted
- Access is application-level only, not tied to any individual user
- You can revoke access at any time by removing the service principal from your tenant
Read-Only by Default
By default, all Microsoft Graph permissions granted to Aether365 are application-level read-only. This is the posture for every connected tenant unless you choose otherwise. A full list is available at aether365.io/security#permissions.
The standard scan connection never requests write permissions, and its Microsoft consent screen shows only read-type permissions.
Optional Write Access: AI Pilot
AI Pilot is an optional, opt-in capability available on the Pro and Enterprise plans. When you enable it for a tenant, you complete a separate Microsoft consent that grants a scoped set of write permissions, in addition to the read-only scan permissions. AI Pilot uses this write access only to apply fixes you have reviewed and approved, one item at a time. Nothing is changed in your tenant without your per-item approval, and read-only scanning remains the default for any tenant where AI Pilot is not enabled.
Revoking Access
To revoke Aether365's access to your tenant:
- Open Settings > Connections in the Aether365 dashboard
- Click Disconnect next to the tenant
- Alternatively, in the Microsoft Entra admin center, navigate to Enterprise Applications and delete the Aether365 service principal
Disconnecting removes the connection from Aether365 and stops future scans. Previously collected scan data is retained according to the standard retention policy.
Data Protection
Encryption
| Layer | Method |
|---|---|
| Data in transit | TLS 1.2+ (HTTPS everywhere) |
| Data at rest | AES-256 encryption at rest |
| Scan result files | AES-256 server-side encryption |
| Secrets (API credentials) | Encrypted secrets vault (envelope encryption) |
What Data Is Stored
Aether365 stores:
- Configuration snapshots - The values read from Microsoft Graph during each scan. These are the raw configuration values used to evaluate each check.
- Scan results - Pass, fail, skip status for each check, plus the actual and expected values for failed checks.
- Tenant metadata - Your tenant's Microsoft tenant ID, your account email, plan tier, and connection timestamps.
- Notification settings - Email addresses and Teams webhook URLs you have configured.
Aether365 does not store:
- Email content, calendar data, or any user-generated content
- User passwords or credentials
- Microsoft Graph tokens (access tokens are ephemeral and used only during the scan)
Data Residency
All data is stored exclusively in our EU data centre (Ireland). No data is replicated outside this region. This applies to:
- Database (scan results, tenant metadata)
- File storage (scan result files)
- Secrets vault (application credentials)
See Data Residency & Privacy for details including our data processing agreement.
Infrastructure Security
Zero-Trust Architecture
Every API request requires a valid JWT issued by Aether365's authentication system after Microsoft Entra authentication. The JWT is validated on every request:
- RS256 signature verification against the Aether365 JWKS endpoint
- Token expiry check
- Issuer and audience verification
There are no unauthenticated API endpoints except /public/config (which returns only platform-wide settings like maintenance mode).
Tenant Isolation
Every database query includes a tenant ID filter derived from the authenticated JWT - not from request parameters. It is architecturally impossible to query another tenant's data through the API.
Scan workloads run in isolated, ephemeral compute environments. Each scan task has:
- No persistent storage
- No cross-tenant network access
- A dedicated service role scoped to the minimum required permissions
- Automatic termination after completion
Secrets Management
Application credentials (Microsoft Entra client ID and secret) are stored in an encrypted secrets vault. They are:
- Never stored in environment variables
- Never written to logs
- Fetched at runtime and held in memory only for the duration of the scan
- Rotated on a schedule
Account Security
Authentication
Aether365 uses Microsoft as the identity provider. You sign in with your Microsoft account via OpenID Connect. No separate Aether365 password exists.
Multi-Factor Authentication
MFA is enforced by your Microsoft account's conditional access policies. Aether365 inherits whatever MFA requirements your Microsoft tenant enforces.
Session Management
Access tokens are short-lived JWTs. Refresh tokens are stored in your browser's local storage and rotated on use. Signing out invalidates your session immediately.
Audit Trail
Every action taken in the Aether365 dashboard or API is recorded in an audit trail: who took the action, when, and from which IP address. See Audit Trail.
Responsible Disclosure
If you discover a security issue in Aether365, please report it to security@aether365.io. We will acknowledge receipt within 24 hours and aim to resolve critical issues within 72 hours. We do not have a public bug bounty programme at this time but will credit reporters in release notes with their permission.