Security & Data Handling Policy

1. Authentication

• OAuth-based authentication via Microsoft
• HMAC-signed state tokens with expiration (10-minute TTL)
• CSRF protection using nonce validation

2. Data Access Principles

• Least privilege access
• Read-only where possible
• Write actions require explicit triggers

3. Token Handling

• Access and refresh tokens are encrypted
• Tokens are never exposed to the frontend

4. Logging & Monitoring

• All remediation actions are logged
• Break-glass account usage is monitored
• Audit trails are maintained

5. Isolation

• Tenant data is logically isolated
• No cross-tenant access is permitted

6. Limitations

Cloud Locksmith:

• Does not replace SOC or SIEM systems
• Provides configuration-level security insights, not full threat detection

7. Incident Response

We investigate and respond to security incidents affecting our platform.

8. Continuous Improvement

Security practices are continuously improved as the platform evolves.

Contact

To report a security issue, contact support@cloudlocksmith.co