Security & architecture

How we actually handle your data

This page is written so a security reviewer can complete most of a vendor assessment without emailing us.

It documents the actual architecture, the actual Microsoft Graph permissions Checkpoint requests and when, the engineering controls in place, how the AI features are governed, and how to report a vulnerability. Nothing here is aspirational marketing copy — where something isn't finished yet, it says so.

Architecture

Your data has one home: your own tenant.

Checkpoint has no backend and no database of its own. There is nowhere for your data to go except the Microsoft 365 tenant it already lives in — compare that to the typical third-party GRC platform, where your risk register and audit findings are copied into someone else's cloud.

How Checkpoint works

Every arrow stays inside the boundary. Checkpoint reads and writes Microsoft Graph and SharePoint as you, the signed-in user — nothing is copied out.

The typical third-party GRC platform

Your risk register, audit findings and control gaps get copied out to the vendor's own database — subject to their breach-notification process, not yours. Not how we work.

Checkpoint permissions

Every Microsoft Graph permission Checkpoint can request — and exactly when.

Consent is staged, not bulk. Sign-in only ever asks for the read-only permissions in Stage 1 below. Every write-capable permission is requested separately, the first time — and only the first time — the feature that needs it is actually used. An administrator consents to each stage explicitly.

Stage 1 — at sign-in

Read-only
Permission Access Purpose
User.Read Read Your own basic profile — who is signed in
Directory.Read.All Read Admin/guest counts, OAuth app consent list, Checkpoint role-group lookup
Policy.Read.All Read Conditional Access policies — MFA coverage, legacy-auth checks
SecurityEvents.Read.All Read Microsoft Secure Score
DeviceManagementManagedDevices.Read.All Read Intune device compliance state
DeviceManagementConfiguration.Read.All Read Whether Intune compliance policies exist
RoleManagement.Read.Directory Read Whether privileged roles use PIM (time-bound) or standing access
IdentityRiskyUser.Read.All Read Risky sign-ins / risky users (Entra ID P2 — skipped gracefully without it)

Stage 2 — first time a register loads or is created

Read + write
Permission Access Purpose
Sites.Manage.All Read / Write Creates and maintains the SharePoint lists that back every Checkpoint register — risks, actions, evidence, vendors, policies, audits

Stage 3 — first click of "Email status update" or "Send questionnaire"

Write (send-only)
Permission Access Purpose
Mail.Send Write (send) Sends email as you, the signed-in user — never a service account

Stage 4 — first use of the AI assistant

Separate resource
Permission Access Purpose
cognitiveservices.azure.com/.default Read (inference call) Bearer token for your own Azure OpenAI resource, in your own tenant — access is Entra RBAC, never an API key

All of the above are delegated permissions — Checkpoint acts as the signed-in user's own account, with their own consented token. There is no application (app-only) permission, no service account, and no admin-consent-only grant anywhere in the interactive app.

Two features outside the core app have their own, separate permission footprints, and are excluded from the claim above by design:

  • Partner Console (for firms managing multiple client tenants) opens its own sign-in and requests two additional delegated, read-only scopes — User.Read and Sites.Read.All — against the partner's own tenant, never a client's.
  • The optional continuous-monitoring add-on (an Azure Function a client can choose to deploy into their own subscription) uses its own app registration with application (app-only) permissions, because it runs unattended with no signed-in user present. It requires separate admin consent, is entirely optional, and is documented on its own in the deployment guide.

Engineering controls

Built like the security tool it claims to be.

Strict Content-Security-Policy

No CDN dependencies, no inline scripts, no unsafe-eval. Every event is bound via addEventListener and delegated data-action attributes — never onclick="" — so an injected inline script has nowhere to execute.

default-src 'self'; script-src 'self';
style-src 'self' 'unsafe-inline'; font-src 'self';
img-src 'self' data:;
connect-src 'self' https://graph.microsoft.com
  https://login.microsoftonline.com
  https://*.openai.azure.com
  https://*.cognitiveservices.azure.com;
object-src 'none'; base-uri 'self'

The Azure OpenAI connect-src entries allow a connection only to whichever resource you provisioned in your tenant — never a Compliance365-hosted endpoint.

Subresource Integrity on every release

Every script Checkpoint ships is content-hashed at build time and served with a matching SRI integrity attribute — if a byte changes anywhere in the delivery path, the browser refuses to run it. The version number is injected from a single source of truth and verified before release, so a build can never silently ship stale or mismatched code.

No backend. No database.

Checkpoint is a static web app. It has no server to breach and no database to exfiltrate, because neither exists. Every register is a SharePoint list; every scan reads Microsoft Graph directly from your browser, signed in as you. Off-boarding costs you nothing — the data was always yours.

Tamper-evident audit logging

Every material action — a control status change, a risk approval, an AI request, a permission stage granted — is written to an append-only audit log stored in your own tenant. It's a record you own and can inspect, not a log sitting in our infrastructure.

AI transparency

Proposes. Never writes.

Checkpoint's AI drafts policy language, evidence descriptions, risk treatment notes and questionnaire answers — grounded in your own registers, never invented. It has no tool or function calling, so it cannot take an action on its own; every response is text plus one line that never changes:

"AI-assisted draft — review before use."

It runs on your own Azure OpenAI resource, provisioned in your tenant and reached with your own Entra ID token — no API key, ever sent to us, and no Compliance365-hosted endpoint in the loop.

The governance rails

  • Your Azure OpenAI, not oursChat completions only, against the resource you provisioned. Access is Entra RBAC on your own subscription — no API key baked into the app.
  • No tool or function callingThe model cannot take an action. It returns text and a disclaimer — never a write, never an API call.
  • Grounded, or it says nothingA fixed system prompt refuses to invent control references, risk IDs, dates or figures not already in your own data.
  • Human approval, every timeEvery draft is presented for review before use — nothing is filed, sent or marked complete without a person explicitly approving it.
  • Never claims an outcomeIt will not state or imply a certification or audit has been passed — that determination belongs to your accredited auditor, always.
  • Audited and rate-limitedEvery AI request is logged to the same audit trail as every other material action, and client-side rate-limited.

More on Checkpoint's AI assistant →

What we don't collect

The shortest way to answer most of a data-handling questionnaire.

No customer data in our database — because we don't operate one for Checkpoint. Every register lives in your SharePoint.

No API keys, ever stored or transmitted. Azure OpenAI access is your own Entra token, requested fresh each time.

No credentials of any kind. Sign-in is Microsoft's own identity platform (MSAL) — we never see, request or store a password.

No server-side logs of your tenant content. There's no server in the request path to log it on.

No advertising or cross-site tracking cookies on this marketing site, and none inside Checkpoint at all.

No reselling or sharing of data with any third party, for any purpose, under any circumstance.

Our analytics stance, plainly

This marketing website — not Checkpoint, which runs no analytics at all — uses three tools, honestly accounted for:

  • Google Analytics 4 and Microsoft Clarity — both consent-gated behind the cookie banner, both configured with IP anonymisation, both blocked entirely until you accept.
  • Apollo.io — identifies the organisation visiting the site from its IP address (company-level, never an individual), so we know which businesses are exploring the site. It is not consent-gated the way the two analytics tools are, on the basis that no individual-level data is collected — we're stating that plainly here rather than leaving it for you to discover.

Full cookie-by-cookie detail, including exact names and expiry periods, is on the cookie policy page.

Found a problem?

Vulnerability disclosure policy

We don't run a paid bug bounty programme. We do take reports seriously, and we won't come after a good-faith researcher who follows this policy.

In scope

  • compliance365.com.au and its subdomains
  • Checkpoint (the console at /checkpoint/) and its demo instance

Out of scope

  • Denial-of-service or volumetric testing against production
  • Social engineering of staff or clients
  • Automated scanning that generates significant load without prior arrangement
  • Any client's own Microsoft 365 tenant data — that's theirs to authorise, not ours

Safe harbour

Good-faith research conducted within this scope, without accessing, modifying or exfiltrating data beyond what's needed to demonstrate the issue, will not result in legal action from us. Stop and report as soon as you've confirmed impact — don't go further than necessary.

How to report

Email info@compliance365.com.au with a description, reproduction steps, and any relevant proof of concept. Encrypt if you'd like — ask and we'll provide a key.

What to expect

  • Acknowledgement within 3 business days
  • An initial severity assessment within 10 business days
  • Ongoing updates as we work through remediation

Coordinated disclosure

We ask for 90 days from your report before any public disclosure, or a timeline we agree together — whichever is sooner is fine by us, but talk to us first.

This policy is also published machine-readably at /.well-known/security.txt.

Still have a question this page didn't answer?

Send it to your security or procurement contact's usual channel, or straight to us.

Email info@compliance365.com.au Explore Checkpoint
Microsoft Teams