Contents
- Plain-English summary
- Who we are
- What we collect & why
- Legal basis for processing (GDPR Art. 6)
- Sub-processor register
- International transfers
- Retention & deletion
- Your rights (GDPR Art. 15-22)
- Security measures (Art. 32)
- Breach notification (Art. 33)
- Cookies & browser storage
- Changes to this policy
- Data Processing Addendum (Art. 28)
- Contact & data protection inquiries
Looking for our commercial terms (subscription, refunds, liability, governing law)? Those live in the Terms of Service. This page covers privacy and the GDPR DPA.
1. Plain-English summary
SignalBoard scans your Microsoft 365 environment to produce an executive-friendly security scorecard. We read configuration data through Microsoft Graph using delegated permissions granted by your IT admin. We do not collect passwords, tokens, API keys, document contents, or patient data (PHI).
When you save a scan, it is encrypted at rest in Microsoft Azure storage. Saved scans are logically isolated by tenant and access-controlled through Microsoft Entra ID — customer users may only access data associated with their own tenant. You can delete any saved scan at any time from the in-app Cloud audit storage page.
We act as a data processor for the scan data your environment produces. You — the customer organization — are the data controller. The terms in section 13 (DPA) govern that relationship.
What SignalBoard does not do
This list is the fastest way to understand the boundary of the Service. SignalBoard:
- Does not modify any Microsoft 365 settings, policies, or configuration. It is read-only.
- Does not automatically remediate findings. It is advisory; remediation is your IT team or MSP's call.
- Does not access email contents.
- Does not access SharePoint files or libraries.
- Does not access Teams messages, calls, or recordings.
- Does not access OneDrive contents.
- Does not access user passwords or any credential material.
- Does not access customer financial records or accounting data.
- Does not read per-user sign-in history; only aggregate stale-account counts.
- Does not transfer scan data to any generative AI provider for model training or inference. If we change this, it will be disclosed as a sub-processor (section 5) and announced at least 30 days in advance.
- Does not sell, license, or share customer data with third parties for marketing.
Customer data ownership
The Customer retains all right, title, and interest in Customer Data (scan data, attestations, and any content submitted into the Service). No ownership rights in Customer Data are transferred to JJS Partners, LLC or VerityPoint Security. Our rights are limited to what is necessary to provide the Service as described in this document.
Advisory-only scope
SignalBoard provides advisory scoring and reporting only. The Service does not guarantee insurability, cyber insurance policy eligibility, premium reductions, or regulatory compliance. Posture scores, recommendations, and the Underwriting Readiness output are informational and decision-support; they are not a substitute for review by qualified security personnel, brokers, or counsel.
Per-tenant access policy (5 users)
SignalBoard limits each Microsoft 365 tenant to five distinct users who can save scans. A user is identified by Microsoft Entra ID object ID. The first save by a new user occupies a seat; the seat is released when that user has zero remaining scans in cloud storage. A sixth user can sign in and run scans, but their first save attempt fails with a clear message naming the seated users. To free a seat, any signed-in user can open Manage cloud storage and delete all scans saved by the user whose seat should be released. See User Manual section 14 for the operational walkthrough. Customers needing more seats should contact hello@veritypointsecurity.com for an enterprise tier.
HIPAA notice
SignalBoard is not designed to process, store, or analyze protected health information (PHI). Customers should not use the Service to transmit PHI unless a separate Business Associate Agreement (BAA) has been executed with JJS Partners, LLC. Email hello@veritypointsecurity.com to begin that process.
2. Who we are
SignalBoard is a security-scorecard service operated by JJS Partners, LLC, doing business as VerityPoint Security (the "Service Provider").
| Field | Detail |
|---|---|
| Legal entity | JJS Partners, LLC (United States) |
| Brand | VerityPoint Security — SignalBoard |
| General contact | hello@veritypointsecurity.com |
| Privacy / data protection | privacy@veritypointsecurity.com |
| Security inquiries / vulnerability reports | security@veritypointsecurity.com |
| Abuse | abuse@veritypointsecurity.com |
| Marketing site | veritypointsecurity.com |
For visitors and prospective customers on our marketing site, JJS Partners, LLC is the data controller of any personal data you submit (name, work email, company name).
For SignalBoard customers, JJS Partners, LLC is the data processor of the scan data your environment produces. Your organization is the data controller. See section 13.
3. What we collect and why
3.1 Marketing & account data
- Contact data — name, work email, company name — collected when you sign up, request a demo, or contact us. Used to respond to your inquiry and provide the Service.
- Billing data — processed by Stripe Inc. as our payment processor; we receive only enough to recognize your subscription (name, email, last four of card, country). Stripe holds full card data under PCI-DSS.
- Usage telemetry — minimal: Static Web App access logs maintained by Microsoft Azure (IP, request path, status, user agent), retained per Microsoft's policy.
3.2 Scan data (the audit JSON)
When an authorized user in your tenant runs a scan, SignalBoard reads the following configuration data via Microsoft Graph delegated permissions:
- Identity inventory and posture — user counts, admin role assignments, MFA enrollment status, guest counts, stale-account aggregates. Named users appear only for admins and unprotected accounts.
- Device inventory and compliance — Intune-managed devices, encryption state, OS version, compliance status.
- Configuration policies — Conditional Access policies, ASR rules, Intune policies (names & assignments, not document contents).
- Microsoft Secure Score and improvement actions.
- Defender / endpoint health summaries.
- Email domain authentication (SPF / DKIM / DMARC) and domain registrar data.
- Hybrid identity posture (on-premises sync state, federation, device trust types).
3.3 What we never collect
- No passwords, access tokens, refresh tokens, client secrets, or certificates.
- No API keys of any kind.
- No patient health information (PHI), document contents, or files from OneDrive / SharePoint / Teams.
- No per-user sign-in logs — only aggregate stale-account counts.
4. Legal basis for processing (GDPR Article 6)
| Processing activity | Legal basis |
|---|---|
| Provide the SignalBoard Service to a customer organization | Performance of a contract (Art. 6(1)(b)) |
| Respond to inquiries from prospective customers | Legitimate interests (Art. 6(1)(f)) — running our business |
| Send service announcements to customers | Performance of a contract (Art. 6(1)(b)) |
| Process payment via Stripe | Performance of a contract (Art. 6(1)(b)); for Stripe's own anti-fraud, Stripe's legal basis applies |
| Maintain access logs for security and abuse prevention | Legitimate interests (Art. 6(1)(f)) — protecting the Service and other customers |
| Process scan data that contains personal data of your employees | You (the customer / controller) determine the legal basis; we process as your processor under Article 28 (see DPA in section 13) |
5. Sub-processor register
The following third parties may process customer personal data on our behalf. We notify customers of changes via the marketing site at least 30 days before adding a new sub-processor, giving the customer the opportunity to object.
| Sub-processor | Role | Data category | Location | Safeguards |
|---|---|---|---|---|
| Microsoft Corporation (Azure, Entra ID, Microsoft Graph, Functions) |
Hosting & identity infrastructure | Scan data (encrypted at rest); authentication tokens (in transit); usage logs | Default region: East US. EU customers may request EU-region deployment. |
Microsoft Online Services DPA, ISO 27001 / 27018, SOC 2, EU SCCs, Customer Lockbox. |
| Stripe, Inc. (payments) |
Subscription billing & payment processing | Name, billing email, country, card data (held by Stripe) | United States (Stripe global) | PCI-DSS Level 1, Stripe DPA, EU SCCs. |
| Cloudflare, Inc. (DNS & edge proxy for marketing site) |
Domain DNS resolution and CDN for veritypointsecurity.com | IP addresses of visitors to the marketing site | Global edge network | Cloudflare DPA, EU SCCs, ISO 27001. |
We do not transfer scan data to any party other than the sub-processors listed above and the customer organization that owns it.
Generative AI providers
SignalBoard does not currently transfer customer scan data to any generative AI provider (OpenAI, Anthropic, Azure OpenAI, Google Gemini, or others) for model training, fine-tuning, or inference. If we add an AI provider in the future, it will be disclosed in the table above as a sub-processor and announced at least 30 days in advance, with the same right of objection. The in-app "Ask AI" feature is a click-to-copy convenience that prepares a prompt for the user to paste into their own AI tool of choice; no data leaves the browser through that workflow.
6. International transfers
JJS Partners, LLC is based in the United States. By default, scan data and customer account data are stored in Microsoft Azure's East US region.
For customers subject to GDPR or UK GDPR, transfers from the European Economic Area / United Kingdom to the United States rely on:
- The EU Standard Contractual Clauses (Commission Decision 2021/914) where applicable, executed between the customer (as exporter) and JJS Partners (as importer) within the DPA in section 13.
- Microsoft's own SCCs and Data Privacy Framework (DPF) participation for the Azure sub-processor link.
- Stripe's SCCs and PCI-DSS framework for billing data.
EU customers may request deployment to an Azure EU region (typically West Europe or North Europe) at contract execution. The marginal cost is documented in the order form.
7. Retention & deletion
| Data | Retention | Deletion mechanism |
|---|---|---|
| Scan data (encrypted audit blobs) | Retained while your subscription is active. Default retention: 24 months of rolling history (trend continuity for quarterly review cycles). Customer-configurable from 30 days to "until deleted by the customer" via the in-app Cloud audit storage controls. | Delete individually or in bulk from the in-app Cloud audit storage page (immediate). On subscription lapse / termination: 30-day export grace period, then permanent deletion — not recoverable. |
| Customer account record (tenant ID, license status) | Active during your subscription + 12 months after termination for billing reconciliation | Full deletion on written request after the 12-month window. |
| Stripe billing records | Per Stripe's retention policy (typically 7 years for tax / audit) | Subject to Stripe's privacy controls. |
| Marketing inquiries (email, name) | 24 months from last interaction | Opt-out via reply or email request. |
| Azure platform logs | Per Microsoft Online Services Terms | Managed by Microsoft. |
What "permanently deleted" means here
SignalBoard does not maintain off-cluster backups of customer scan data. Once the 30-day grace window closes after a subscription lapse, the encrypted blobs are deleted from Azure Storage and the underlying storage is cycled through Azure's normal de-allocation process. There is no “archive” we can restore from. If you want trend continuity after a renewal, export your data before the grace window expires and re-import it (the “Audit Upload” mechanism, on request) after re-subscribing.
To export everything before a lapse: open the in-app Cloud audit storage page, Select all, and use your browser’s "Save page as" or contact us for a bulk archive.
8. Your rights (GDPR Articles 15-22)
If you are a data subject whose personal data we process (either directly or on behalf of one of our customers), you have the following rights. Send any request to hello@veritypointsecurity.com; we respond within 30 days.
| Right | What it means in practice |
|---|---|
| Access (Art. 15) | Receive a copy of the personal data we hold about you. |
| Rectification (Art. 16) | Correct inaccurate or incomplete data. |
| Erasure / "right to be forgotten" (Art. 17) | Have your data deleted, subject to legal retention exceptions. |
| Restriction (Art. 18) | Have us limit how we use your data while a complaint is resolved. |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format (the SignalBoard audit JSON satisfies this for scan data). |
| Objection (Art. 21) | Object to processing based on legitimate interests; we will stop unless we have compelling overriding grounds. |
| Automated decision-making (Art. 22) | SignalBoard does not make automated decisions producing legal effects. The scorecard is advisory. |
| Lodge a complaint | You may complain to your local supervisory authority. The EU list is at edpb.europa.eu. |
If your personal data appears in a scan because you work for a SignalBoard customer (for example, as a Global Admin), the customer is the controller of that data. We will forward your request to the customer and assist them in fulfilling it.
9. Security overview (Article 32)
The following describes the technical and organizational measures in place at the time of this document. Specific implementation details may evolve; the commitments are: appropriate encryption in transit and at rest, authentication via Microsoft Entra ID, logical tenant isolation, least-privilege permissions, and the organizational controls in this section. The Customer may request our current control description at any time.
- Encryption in transit. TLS 1.2 minimum on all endpoints (Static Web App, Function App, Azure storage). HSTS enabled.
- Encryption at rest. Azure Storage Service Encryption (AES-256, Microsoft-managed keys). A customer-managed key (CMK) tier is on our roadmap.
- Authentication. Microsoft Entra ID (MSAL.js v3, multi-tenant SPA). Delegated permissions only — we do not hold application secrets that could read your tenant in the background.
- Tenant isolation. Saved data is logically isolated by tenant. Access is gated by Microsoft Entra ID; customer users may only access data associated with their own tenant. Server-side controls enforce this on every read, list, and delete operation.
- Least-privilege permissions. SignalBoard requests only the Microsoft Graph scopes needed for the scan (read-only). The list is published in the in-app About > Scope page.
- Code review & testing. Backend changes are reviewed before deployment; we maintain a deployment runbook and dependency policy.
- Access controls. Production access is limited to named personnel and is auditable through Azure.
- Content Security Policy. The dashboard restricts script and connection sources to an allowlist (Microsoft, our API, Stripe).
- No long-term token storage. The session token cache is sessionStorage and is cleared on tab close.
For a current description of controls suitable for procurement / vendor risk review, email security@veritypointsecurity.com.
10. Breach notification (Article 33)
If we become aware of a personal data breach affecting your data, we will notify you in writing without undue delay and in any event within 72 hours of confirmation, with the information required by Article 33(3):
- The nature of the breach (categories of data, approximate number of data subjects and records affected).
- Likely consequences.
- Measures taken or proposed to address it and to mitigate adverse effects.
- Name and contact of the person responsible for handling the incident on our side.
Customers are responsible for notifying their own supervisory authorities and affected data subjects. We will provide reasonable cooperation.
12. Changes to this policy
We will update this page when we change how we handle personal data. The "Effective" date and document version at the top reflect the most recent change. Material changes (new sub-processors, new data categories collected, changes in legal basis) are announced to active customers via email at least 30 days in advance and posted to the marketing site.
13. Data Processing Addendum (Article 28)
This addendum forms part of the Services Agreement between you (the "Customer", acting as Controller) and JJS Partners, LLC d/b/a VerityPoint Security (the "Processor"). It governs the Processor's processing of Personal Data on the Customer's behalf in connection with the SignalBoard service.
13.1 Definitions
"GDPR" means Regulation (EU) 2016/679 and, where applicable, the UK GDPR. "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", and "Data Subject" have the meanings given in Article 4 of the GDPR. "Customer Personal Data" means Personal Data contained in scan data and account data processed by the Processor on the Customer's behalf.
13.2 Subject matter, duration, nature, purpose (Art. 28(3))
- Subject matter: Processing of Customer Personal Data to provide the SignalBoard service.
- Duration: The term of the Services Agreement plus any retention period in section 7 of the Privacy Policy.
- Nature and purpose: Reading Microsoft 365 configuration data through Microsoft Graph; computing posture scores; storing encrypted snapshots; presenting an executive scorecard; supporting trend analysis and insurance attestation workflows.
- Types of Personal Data: Identifiers of named tenant administrators, users flagged as unprotected (e.g., no MFA), user counts, device assignments, role assignments.
- Categories of Data Subjects: The Customer's employees, contractors, and external collaborators with accounts in the Customer's Microsoft 365 tenant.
13.3 Processor obligations
The Processor will:
- Process Customer Personal Data only on documented instructions from the Customer (the Services Agreement, this DPA, and the in-app configuration controls).
- Promptly notify the Customer if, in the Processor's opinion, a Customer instruction infringes the GDPR or other applicable data protection law (Article 28(3)(h)).
- Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.
- Implement the technical and organizational measures described in section 9 (Security overview).
- Assist the Customer (insofar as possible) in responding to Data Subject requests under GDPR Articles 15-22.
- Assist the Customer in meeting its obligations under Articles 32-36 (security, breach notification, DPIAs).
- At the Customer's choice, delete or return all Customer Personal Data at the end of the Services Agreement.
- Make available all information necessary to demonstrate compliance with Article 28 and allow for audits as described in section 13.7.
13.4 Sub-processors (Art. 28(2) and 28(4))
The Customer authorizes the Processor to engage the sub-processors listed in section 5. The Processor will notify the Customer of any intended additions or replacements at least 30 days in advance. The Customer may object within 14 days; if the Customer objects, the parties will work in good faith on a resolution, and if none is reached the Customer may terminate the affected portion of the Service with a refund of pre-paid fees.
The Processor remains fully liable for the acts and omissions of its sub-processors as if they were its own.
13.5 International transfers
Where the Customer is established in the EEA, UK, or Switzerland, the EU Standard Contractual Clauses (Module 2 — Controller to Processor; Commission Decision 2021/914) are incorporated by reference into this DPA. The UK International Data Transfer Addendum applies for UK transfers. Docking and SCC clause selections follow the customer's choices in the order form, defaulting as follows: Clause 7 (docking) excluded; Clause 9 option 2 (general written authorization) selected; Clause 11(a) (independent dispute resolution body) excluded; Clause 17 (governing law) Ireland; Clause 18 (jurisdiction) Ireland. A signed copy of the SCCs is provided on request.
13.6 Data Subject requests
If the Processor receives a Data Subject request directly, it will forward the request to the Customer without undue delay and assist the Customer in responding. The Processor will not respond to such a request itself unless legally required to do so or instructed by the Customer.
13.7 Audits
The Processor will make available, on the Customer's written request, the documentation reasonably necessary to demonstrate compliance with this DPA, including SOC / ISO certifications of sub-processors (such as Microsoft Azure) and the Processor's own security descriptions. The Customer may, no more than once per year, conduct an audit limited to information the Processor is contractually able to disclose; an audit may be performed by an independent third-party auditor under appropriate confidentiality obligations. Each party bears its own costs.
13.8 Breach notification
The terms in section 10 apply. The Processor will notify the Customer within 72 hours of confirmation.
13.9 Return or deletion of data (Art. 28(3)(g))
On termination of the Services Agreement, the Customer may, within 30 days, instruct the Processor to either return all Customer Personal Data in a portable format (the SignalBoard audit JSON satisfies this) or delete it. After 30 days, the Processor will delete all Customer Personal Data unless legal obligations require continued retention.
13.10 Liability
Each party's liability under this DPA is subject to the limitation of liability provisions in the Services Agreement. Nothing in this DPA limits a Data Subject's rights against either party under Articles 79 or 82 of the GDPR.
13.11 Order of precedence
In the event of any conflict, the order of precedence is: (i) the EU SCCs (where they apply), (ii) this DPA, (iii) the Services Agreement.
13.12 Execution
This DPA takes effect on acceptance of the Services Agreement and continues for as long as the Processor processes Customer Personal Data. A signed counterpart is available on request to hello@veritypointsecurity.com.
14. Contact & data protection inquiries
| Topic | |
|---|---|
| Privacy / data protection inquiries | privacy@veritypointsecurity.com |
| Signed DPA request | hello@veritypointsecurity.com (subject: "DPA request") |
| Data subject access / erasure / portability requests | privacy@veritypointsecurity.com |
| Security questions / vulnerability reports / vendor risk reviews | security@veritypointsecurity.com |
| Abuse | abuse@veritypointsecurity.com |
| General | hello@veritypointsecurity.com |
Response time: 5 business days for acknowledgment; 30 days for substantive response. Security and breach inquiries are triaged within 1 business day.
We do not currently meet the GDPR Article 37 threshold requiring a designated Data Protection Officer (we are not a public authority and our core activities do not consist of large-scale processing of special-category data). The privacy address above functions as our data protection contact.