Back to Home

Privacy Policy

Last updated: 12 January 2026

1. Introduction

Poverud IT ("we", "us", "our") operates TrueConfig, a cloud-based configuration and governance platform for Microsoft Entra ID.

We are committed to protecting personal data and handling it transparently, securely, and in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

This Privacy Policy explains:

  • What data we process
  • Why we process it
  • How it is stored and protected
  • How long it is retained
  • What rights data subjects have

2. Data Controller

Legal entity:
Poverud IT
Country of incorporation:
Norway
Registered address:
Munkegaten 9a, Norway
Operating scope:
Global
Contact for privacy matters:
privacy@trueconfig.io

Poverud IT acts as:

  • Data Controller for account and service usage data
  • Data Processor for customer tenant data processed on behalf of customers

3. Who This Policy Applies To

This policy applies to:

  • IT administrators, security administrators, and CISOs using TrueConfig
  • Employees, contractors, and guest users whose identity data exists in customer Microsoft Entra ID tenants

TrueConfig is not intended for use by children or minors, and we do not knowingly process data relating to children.

4. Personal Data We Process

4.1 Account and Identity Data

We process limited personal data required to operate the service, including:

  • Name
  • Email address
  • Tenant ID
  • User ID

Authentication is performed using Microsoft Entra ID single sign-on or magic link login.

4.2 Microsoft Entra ID Tenant Data

TrueConfig accesses Microsoft Entra ID data only with explicit customer consent via Microsoft Graph.

Depending on enabled features and granted permissions, this may include:

  • Users and user identifiers
  • Groups
  • Administrative roles and assignments
  • Conditional Access policies
  • Application registrations and service principals
  • Sign-in and audit metadata

Important:

TrueConfig reads tenant configuration data and may write or modify configuration only when explicitly approved and initiated by the customer.

Tenant configuration data is:

  • Stored per tenant
  • Logically isolated
  • Never shared across tenants
  • Retained according to the customer's plan (30, 90, or 365 days)

4.3 Authentication Tokens

TrueConfig uses only Microsoft-issued OAuth tokens.

  • Access tokens and refresh tokens are stored encrypted at rest using AES-256-GCM (authenticated encryption).
  • Tokens are scoped per tenant.
  • No tokens are shared across tenants.
  • Tokens are rotated regularly and overwritten.
  • Tokens are never written to logs, traces, or monitoring systems.
  • Tokens are transmitted only over encrypted connections (TLS 1.2+).

Customers can revoke all access at any time by revoking consent in Microsoft Entra ID.

4.4 Logs and Telemetry

TrueConfig collects operational logs necessary to provide the service, including:

  • Application logs
  • Audit logs
  • User activity logs

Logs may include:

  • User ID
  • Tenant ID
  • Device or browser metadata (user agent)
  • IP addresses (for security audit events only)

Logs do not include:

  • Authentication tokens
  • Passwords
  • Sensitive personal data (biometrics, health, etc.)

IP Address Collection for Security

IP addresses and user agents are collected in security audit logs to detect unauthorized access attempts, investigate security incidents, and meet compliance requirements (e.g., SOC 2). This data is retained according to your plan's retention period and is not used for marketing or tracking purposes.

Logs are used solely for service operation, troubleshooting, and security, not for marketing or advertising.

Retention is plan-based: 30, 90, or 365 days. Customers may request log deletion.

4.5 Automation and Remediation Records

When remediation actions occur, TrueConfig records:

  • Before and after configuration state
  • Approval records
  • Actor identity

Remediation logs are immutable and retained for 90 days. Customers can export their remediation history.

5. Analytics and Tracking

TrueConfig does not use third-party marketing analytics or advertising platforms.

Limited behavioral tracking occurs via internal application logs and includes:

  • Page views
  • Feature usage

This tracking is identifiable and used solely to operate, secure, and improve the product. No marketing tracking or advertising pixels are used.

Error Monitoring

TrueConfig uses Sentry for error monitoring and application stability. When errors occur, the following may be collected:

  • Error messages and stack traces
  • Browser and device information
  • Page URL (with sensitive parameters filtered)

Sentry data is used exclusively for debugging and improving application reliability. Authentication tokens, passwords, and other sensitive data are automatically filtered and never sent to Sentry.

6. AI and Automated Decision-Making

TrueConfig does not currently use artificial intelligence or machine learning to process customer data.

  • No customer data is used to train AI models.
  • Any future AI usage will be advisory only and disclosed before use.
  • Claude Code is used solely as a development tool. No customer data is shared with AI services.

7. Data Storage and Security

Data is hosted in the European Union:

Infrastructure provider:
Supabase
Region:
Frankfurt, Germany

Security measures include:

  • Encryption at rest and in transit
  • Logical tenant isolation
  • Restricted and logged access to production systems
  • Regular security reviews and penetration testing
  • Regular backups with 180-day retention

8. Subprocessors

TrueConfig uses the following subprocessors:

ProviderPurposeLocation
SupabaseDatabase and backend hostingFrankfurt, Germany (EU)
VercelApplication hostingFrankfurt, Germany (EU)
ResendTransactional email deliveryEU-compliant
SentryError monitoring and stabilityEU-compliant

All primary infrastructure (database, application hosting) is located in the European Union. Appropriate data processing agreements are in place with all subprocessors.

TrueConfig does not sell or share personal data with third parties for marketing purposes.

9. Data Retention and Deletion

Tenant data is retained according to the customer's subscription plan:

PlanTenant DataAudit Logs
Essential30 days30 days
Pro90 days90 days
Scale365 days365 days

After contract termination: A 30-day grace period applies to allow for data recovery or account reactivation. After this grace period, all tenant data is permanently deleted. Legal obligations may require retention of certain audit records beyond this period.

Automated cleanup: Data retention is enforced automatically via daily cleanup processes that remove data older than the applicable retention period.

Customers may request data export or deletion at any time by contacting privacy@trueconfig.io.

10. Data Subject Rights

Data subjects have the right to:

  • Access their personal data
  • Rectify inaccurate data
  • Request erasure
  • Restrict processing
  • Receive a copy of their data

Requests are handled manually via customer support at privacy@trueconfig.io.

11. Incident Response and Breach Notification

TrueConfig maintains an incident response plan.

In the event of a personal data breach:

  • Customers will be notified within 72 hours of becoming aware
  • Notification will be sent via email to the account owner

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to customers.

13. Contact

For privacy or data protection questions, contact:

Email:
privacy@trueconfig.io
Company:
Poverud IT
Address:
Munkegaten 9a, Norway