Privacy Policy

Sentinel Vault Systems LLC (“we”, “us”, “our”) respects your privacy. This Privacy Policy explains how we handle information when you visit our websites or use VaultGuard360, our Azure Key Vault expiration monitoring product.

1. How VaultGuard360 Works (the Managed Application Model)

VaultGuard360 is sold through the Azure Marketplace and deploys as an Azure Managed Application. This means:

• All resources (the Function App, Storage Account, Application Insights, and Azure Communication Services) are created inside your Azure subscription, in a managed resource group.
• Your configuration and scan data are stored in your Azure tenant. We do not operate servers that receive or store your product data.
• You own all data produced by VaultGuard360. If you delete the managed application, Azure permanently deletes the entire managed resource group and all data within it.

1.1 Publisher Access to the Managed Resource Group

As the publisher, Azure grants us Contributor-level access to the managed resource group where VaultGuard360 is deployed. This is standard for Azure Managed Applications and is required so that we can deploy application updates and provide support.

What this access allows (technically):

• Deploy application updates to the Function App
• View resource health, configuration, and diagnostic logs
• Access Azure Table Storage, Application Insights, and other resources in the managed resource group

What we commit to:

• We use this access only for deploying updates and providing support when you request it.
• We do not routinely access, read, or export your Table Storage data (scan results, configuration, routing rules, or audit logs).
• We do not access your Application Insights telemetry or Log Analytics data.
• We do not monitor or review your notification configuration (email addresses, webhook URLs).

What we cannot do (technical limitation):

Access your Key Vault contents. The managed identity used by VaultGuard360 has Reader and Key Vault Reader RBAC roles, which can only list item metadata (names and expiry dates). These roles cannot retrieve secret values, certificate contents, or cryptographic key material. Our publisher access to the managed resource group does not grant us any access to your Key Vaults — those are outside the managed resource group.

2. Data VaultGuard360 Processes (Within Your Tenant)

2.1 Key Vault Scan Metadata

VaultGuard360 scans your Azure Key Vaults to identify expiring items. The scanner reads only metadata — specifically:

• Item names, item types, and expiry dates
• Vault names and URLs
• Subscription IDs, display names, and resource group names

VaultGuard360 never reads secret values, certificate contents, or cryptographic key material. The application uses the Azure SDK's metadata-only listing methods and never calls value-retrieval APIs.

2.2 Outbound Notifications (Data That Leaves Your Tenant)

When VaultGuard360 sends expiration alerts, the following metadata is included: item type, item name, vault name, subscription ID and name, resource group name, expiry date, days remaining, and a link to the item in the Azure Portal. Secret values, certificate contents, and key material are never included.

This metadata is sent to the destinations you configure:

• Email recipients: via Azure Communication Services (ACS) in your managed resource group or an SMTP relay you configure. ACS email tracking is explicitly disabled.
• Microsoft Teams: Adaptive Card messages sent to workflow webhook URLs you provide.
• Slack: Messages sent to incoming webhook URLs you provide.
• PagerDuty: Events sent via PagerDuty's Events API using a routing key you provide.
• ServiceNow: Incidents created via your instance URL using credentials you provide.
• Generic webhooks: JSON payloads sent to any endpoint URL you provide, optionally signed with HMAC.

You control which notification channels are active and which destinations receive alerts. No notifications are sent to Sentinel Vault Systems.

2.3 Notification Configuration Stored in Your Tenant

Email provider settings, Teams webhook URLs, webhook channel configuration, alert thresholds, reminder modes, and general settings are stored in your Azure Table Storage (Config table).

2.4 Team Routing Configuration

If you set up team-based routing, VaultGuard360 stores team names, subscription-to-team mappings, per-team notification email addresses, and per-team webhook URLs in the SubscriptionRouting table in your Azure Storage Account.

2.5 Notification Tracking

To prevent duplicate alerts, VaultGuard360 tracks which notifications have been sent using item identifiers (a one-way hash), expiry dates, notification dates, and threshold levels. This data is stored in Azure Table Storage within your subscription.

2.6 Audit Logs

VaultGuard360 records configuration changes and scan events in an AuditLog table in your Azure Storage Account, including event type, timestamp, correlation ID, event details, and Function App name.

2.7 Application Insights Telemetry

VaultGuard360 is deployed with an Application Insights instance in your managed resource group. This collects standard Azure telemetry (HTTP request logs, dependency calls, exceptions, performance metrics). The workspace is owned by your subscription. We do not actively collect telemetry from your deployment.

2.8 Authentication Data

VaultGuard360 uses Azure Active Directory (Entra ID) authentication via Azure App Service's built-in authentication (EasyAuth). Your identity information is read from the Azure-provided authentication header and used only to verify your identity. It is not stored persistently by VaultGuard360.

2.9 Trial Status

For trial deployments, VaultGuard360 stores a single timestamp (the trial start date) in your Azure Table Storage. No other trial-related personal data is collected.

2.10 Configuration Export and Import

VaultGuard360 includes a configuration export tool that produces a JSON file containing your settings. For security, the export excludes sensitive fields: Teams webhook URLs, webhook endpoint URLs, HMAC secrets, PagerDuty routing keys, and ServiceNow credentials. The export is available even after trial expiry.

3. Data We Collect Directly (Outside the Product)

3.1 Website Visitors

• Basic analytics (page views, referrer, country) via privacy-respecting analytics — no cookies required
• Voluntary information you provide through contact forms or email signups
• We do not use advertising trackers or sell data to third parties

3.2 Azure Marketplace Billing

Microsoft processes all payments. We receive your subscription status, the tier you selected, and a managed application resource identifier. We do not receive your payment details.

3.3 Publisher Lifecycle Notifications

When you deploy or delete VaultGuard360, Azure sends a lifecycle notification to our publisher webhook service containing the managed application resource identifier, provisioning state, and plan name. We use this solely to configure authentication. This webhook service does not have network access to your Azure subscription. No customer data or personal data is included.

4. Data We Do NOT Collect

• Secret values, certificate contents, or cryptographic key material from your Key Vaults
• The contents of your Azure resources beyond Key Vault item metadata
• Application Insights telemetry from your deployment
• Personally identifiable information from your Azure AD users (beyond the deploying admin's identity for authentication)
• Payment or billing details (handled entirely by Microsoft)
• Email engagement data (open tracking and click tracking are disabled in ACS)

5. How We Use Information

Information we collect directly (Section 3) is used to:

• Respond to your inquiries and provide customer support
• Manage your subscription lifecycle (provisioning and deprovisioning)
• Send product updates and release notes (only if you subscribe to communications)
• Improve our websites and documentation

We do not use your data for advertising, profiling, or selling to third parties.

6. Information Sharing

We do not sell, trade, or rent your personal information.

We may share information only:

• With service providers who assist our operations (e.g., website hosting)
• When required by law or valid legal process
• To protect our rights, safety, or property

A current list of sub-processors is available upon request at privacy@sentinelvaultsystems.com.

7. Data Security

For data we collect directly

• All communications use TLS encryption in transit
• We implement appropriate technical and organizational measures to protect information

For data within VaultGuard360 (in your tenant)

• Data at rest is protected by Azure Storage encryption (enabled by default)
• All communication between VaultGuard360 components uses HTTPS
• Authentication is enforced via Azure AD / Entra ID (EasyAuth)
• The application uses a user-assigned managed identity with least-privilege RBAC roles (Reader and Key Vault Reader — no write access to your Key Vaults)
• Content Security Policy headers are applied to the dashboard
• API request payloads are size-limited and validated to prevent abuse

7.1 Security Incident Notification

In the event of a security breach affecting data we collect directly, we will notify affected customers and applicable supervisory authorities within 72 hours of confirmation. Because VaultGuard360 product data resides in your Azure subscription, a breach of our systems would not expose your in-tenant data.

8. Data Retention and Deletion

8.1 Data in Your Azure Subscription

You control all retention. Scan tracking data, audit logs, and configuration persist in your Azure Table Storage until you delete them or remove the managed application. Application Insights telemetry follows your configured retention period (default 90 days).

8.2 Data Deletion on Termination

When you cancel your VaultGuard360 subscription or delete the managed application, Azure automatically and permanently deletes the entire managed resource group and all data within it. This deletion is permanent and irreversible. We strongly recommend using the built-in export tool to save your configuration before cancelling.

8.3 Data We Collect Directly

• Lifecycle notification mappings are deleted when the associated deployment is removed.
• Website analytics are retained according to our analytics provider's retention policy.
• Contact form submissions are retained as long as necessary to respond or as required by law.

9. Your Rights

For all users

• Request access to personal information we hold about you
• Request correction or deletion of your personal information
• Opt out of marketing communications

For EU/EEA residents (GDPR)

• Right to data portability
• Right to restrict processing
• Right to object to processing
• Right to lodge a complaint with a supervisory authority

For California residents (CCPA)

• Right to know what personal information is collected, used, and shared
• Right to request deletion of personal information
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

Because VaultGuard360 data resides in your Azure subscription under your control, you can access, export, or delete it at any time through the Azure Portal or VaultGuard360's built-in export tool.

To exercise rights over data we collect directly, contact: privacy@sentinelvaultsystems.com

9.1 Data Processing and Legal Basis

Because VaultGuard360 processes data entirely within your Azure subscription, Sentinel Vault Systems does not act as a data processor for your product data under GDPR. For the limited data we collect directly, we process data on the basis of legitimate interest and contractual necessity. Enterprise customers requiring a Data Processing Agreement may contact us at privacy@sentinelvaultsystems.com.

10. International Data Transfers

Our company is based in the United States. If you are located outside the US, information you provide through our website may be transferred to and processed in the US.

For VaultGuard360: Your data resides in the Azure region you selected during deployment. VaultGuard360 does not transfer your data across regions or to our infrastructure. Azure Communication Services data residency follows the geographic region you select during deployment.

11. Cookies

Our websites use only essential cookies for functionality. We do not use:

• Advertising cookies
• Third-party tracking cookies
• Cross-site tracking

VaultGuard360 itself does not set cookies. Session management cookies are set by Azure App Service's built-in authentication (EasyAuth).

12. Children's Privacy

VaultGuard360 is a business-to-business product designed for IT professionals and is not directed at children under the age of 13 (COPPA) or 16 (GDPR). We do not knowingly collect personal information from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated date. If we make significant changes to how we handle personal information, we will provide notice through our website.

14. Contact

For privacy-related questions or to exercise your rights:

Email: privacy@sentinelvaultsystems.com

Company: Sentinel Vault Systems LLC

Website: sentinelvaultsystems.com