How Wintive protects your data and your Microsoft 365 environment, and how we secure our own systems.
Our security approach
Security at Wintive has two sides, and this page covers both: how we secure our own platform — the same for every customer, whatever you buy — and the security outcome you get, which depends on the product you choose. We hold ourselves to the same standards we help customers meet: least privilege, data minimization, and defense in depth.
What security you get with each product
Our own platform is secured the same way for everyone (see below). What changes with your product is the security outcome for your Microsoft 365:
- M365 Instant Audit — a read-only assessment. We connect with read-only permissions, change nothing, and deliver a report of your security gaps — MFA, external sharing, licensing, and configuration risks. Your report is delivered as a private link, encrypted in transit with TLS, that expires after 30 days and is limited to five downloads. You get the visibility, and you apply the fixes.
- M365 Master Audit — done-for-you remediation. We fix the gaps and harden your environment to the Wintive baseline, mapped to SOC 2, NIST CSF, HIPAA, and the CIS Microsoft 365 Benchmark. At completion, your environment meets that baseline. Your remediation report is delivered the same way — a private link over TLS, expiring after 30 days, limited to five downloads.
- M365 Managed Plans — ongoing protection. We keep your environment at that baseline over time with continuous management, monitoring, and remediation, so your posture does not drift. The privileged credentials we use to manage your tenant are protected with FIDO2 hardware-key MFA, held in our geo-redundant vaults, and backed by a break-glass emergency-access account.
How we secure our own platform
These controls are the same for every customer, whatever product you use.
Data we access
The M365 Instant Audit connects to your Microsoft 365 tenant with read-only permissions and never modifies any setting — it only reads the security and configuration signals needed to produce your report. Our done-for-you services — the M365 Master Audit (remediation) and M365 Managed Plans (ongoing management) — make changes only with your authorization.
Authentication and credentials
Wintive holds no standing access to your Microsoft 365. Every connection is application-only and minted fresh for a single audit run. We store no refresh tokens and keep no access tokens — the moment a run finishes, there is no key, token, or session to your tenant left anywhere in our systems.
The credentials our services use — API keys, service secrets, and certificates — are unlocked from our geo-redundant vaults straight into memory (RAM) at runtime and are never written to disk. They exist only while a process is running and are gone the instant it stops, so a lost, stolen, or compromised disk holds no usable credential — no plaintext key, password, or token. Human access to our systems is gated by FIDO2 hardware-key multi-factor authentication, and the master keys that anchor our vaults are kept in a separate root of trust, entirely off our servers.
Encryption in transit and at rest
All traffic between you, Wintive, and Microsoft 365 is encrypted in transit using TLS.
Your audit report is also encrypted at rest. Once generated, the PDF is stored in a private Microsoft Azure Blob container, encrypted at rest with 256-bit AES using Microsoft-managed keys, and held redundantly within a United States region (East US). The container is not publicly reachable — there is no public URL and no shared-access token — and your report is released only through the private, expiring link described below.
Report delivery and retention
Audit reports are delivered as private links — never as email attachments, and never left on a public URL. Report links expire after 30 days and are limited to five downloads; the report itself lives in the private, encrypted store described above. We minimize the data we retain.
Hosting and sub-processors
Our services run on established cloud infrastructure, hardened to a least-exposure posture: our audit services are not reachable directly from the public internet — they sit behind an outbound-only encrypted tunnel and a default-deny firewall. The third parties we rely on are listed on our sub-processors page.
Resilience and recovery
Our infrastructure is defined as code, kept separate from data, and privately backed up in GitHub — so our entire environment can be rebuilt from a known-good state. We maintain disaster-recovery plans for outages and hardware failure: configuration and data are backed up daily to geographically separate storage with multi-version retention, and our root of trust is held off-server — so services can be re-provisioned and restored without depending on any single machine. Every service runs in its own isolated Docker container, separated from the host operating system, so a fault or compromise in one service is contained rather than spreading — and any service can be rebuilt or replaced quickly, which speeds recovery.
Microsoft verified publisher
Wintive is a verified Microsoft publisher and a Microsoft Partner — and you can confirm it yourself. When you grant consent, the Microsoft consent dialog shows our verified-publisher status and lists the exact permissions the app requests, so you can see they are read-only before you approve. Our listing is public on Microsoft AppSource.
Independent verification
We would rather you verify than take our word for it. Our publisher status is verified by Microsoft and shown on the consent screen; the permissions we request are listed for you before you approve, so you can confirm they are read-only; and your own Microsoft 365 audit logs record our access, so you can see for yourself that the audit changed nothing. Our transport encryption (TLS) can be tested independently. For the operational controls described above, we provide documentation on request.
Reporting a vulnerability
If you believe you have found a security issue, please contact us at security@wintive.com. We appreciate responsible disclosure.