PosturIQ Privacy Policy
Last updated: May 29, 2026
1. Who We Are
PosturIQ is a SaaS security posture management service that helps organizations monitor and improve the security of their Microsoft 365 environment and endpoint devices.
PosturIQ is operated by [Company name], a company registered in Finland (Business ID: [Y-tunnus]).
Our role under GDPR:
- PosturIQ is the data controller for account and authentication data (email addresses, login events, session data) - we determine how this data is processed to provide the Service.
- PosturIQ is the data processor for your organization's security scan data, device data, and findings - we process this data on your behalf under the Data Processing Agreement.
We have assessed that a Data Protection Officer (DPO) is not required under GDPR Article 37, as our core activity is not large-scale monitoring of individuals. For privacy inquiries, contact us at the address below.
The Service is intended for business use and is not directed at individuals under 16 years of age.
2. Data We Collect
- Account information - email address and identifiers from your Microsoft work or school account, used for authentication.
- Organization information - name, domain, country, and subscription details.
- Security scan results - configuration assessments and findings for your Microsoft 365 environment and endpoint devices. Security scores are generated by PosturIQ based on these assessments.
- Device information - hostname, local username, operating system version, and security posture of enrolled devices.
- Usage data - timestamps of scans and logins, page views, and client-side performance telemetry. No advertising or third-party tracking cookies are used. See §13 for details on cookies and §7a for telemetry.
3. Legal Basis for Processing (GDPR Article 6)
For data where PosturIQ is the data controller:
| Data Category | Legal Basis | Justification |
|---|---|---|
| Account information | Contract performance (Art. 6(1)(b)) | Required to authenticate users and provide the Service |
| Usage data (login timestamps) | Legitimate interest (Art. 6(1)(f)) | Service operation, security, and reliability |
For data where PosturIQ is the data processor (organization data, scan results, device data), the legal basis is determined by your organization as the data controller. Our processing is governed by the Data Processing Agreement.
4. How We Use Your Data
- To perform security assessments and generate scores, reports, and trend analysis for your organization.
- To authenticate users and manage access within your organization.
- To operate, maintain, and improve the service.
We do not sell, rent, or share your data with third parties for marketing purposes.
5. Microsoft 365 Permissions
To perform security assessments, PosturIQ requests the following Microsoft Graph API permissions from your tenant. These permissions are necessary to conduct the assessment and require admin consent:
| Permission | Purpose |
|---|---|
| User.Read.All | Enumerate users, check license assignments and sign-in activity |
| Directory.Read.All | Read directory roles, role members, and service principal configuration |
| Policy.Read.All | Assess conditional access policies, security defaults, and authentication methods |
| Reports.Read.All | Retrieve MFA registration status |
| SharePointTenantSettings.Read.All | Evaluate sharing and collaboration settings |
| Application.Read.All | Review OAuth app grants and third-party app permissions |
| AuditLog.Read.All | Analyze user sign-in activity patterns |
| Exchange.ManageAsApp | Read Exchange Online configuration (email security policies) |
PosturIQ only performs read operations and does not modify your Microsoft 365 configuration. You can revoke these permissions at any time via the Microsoft Entra admin portal.
6. Authentication
PosturIQ uses Microsoft Entra ID (OAuth 2.0) for authentication. We do not store your Microsoft password. Session tokens are signed server-side, valid for 12 hours, and transmitted over HTTPS only.
7. Data Storage & Security
- All data is encrypted in transit and at rest.
- All data is stored and processed in the European Union (West Europe and North Europe Azure regions), regardless of where you are located.
- Access to production systems is restricted and monitored.
- All connections to the service are secured via HTTPS.
7a. Telemetry & Performance Monitoring
PosturIQ uses Azure Monitor Application Insights (a Microsoft service) for application performance monitoring and error diagnostics. This service receives:
- Page view events (URL, load time).
- Server-side error and performance traces.
- Authenticated user context: your email address and organization name, used to correlate telemetry with specific accounts for support and debugging purposes.
No tracking cookies are set by Application Insights (cookie collection is explicitly disabled). Telemetry data is stored in the EU and is subject to Microsoft's data processing terms. See our Sub-processor List.
8. International Data Transfers
If you are located outside the European Union, your data is transferred to and processed in the EU. The EU provides strong data protection standards. By using the Service, you acknowledge this transfer.
If you are located in the EU/EEA and your data is accessed from outside the EU (e.g., for support purposes), appropriate safeguards such as Standard Contractual Clauses (SCCs) will be in place.
9. Data Retention
- Organization and scan data is retained for as long as your account is active.
- When an organization is deleted, all associated user data, device data, scan results, and findings are permanently removed.
- We retain a minimal record of the organization's tenant identifier to prevent abuse of free trial offers. This record contains no personal data about individual users.
- We maintain an audit log of key account events (terms acceptance, consent grants, account deletions, billing events) for legal compliance purposes. This log stores a one-way cryptographic hash of your email address - not the email itself - so that acceptance can be verified if needed, but the log cannot be used to identify individuals on its own. This audit log is retained indefinitely and is not deleted when your account is removed.
10. Data Sharing
We may disclose data only when required by law or to protect the security of the service. No data is shared with third parties for commercial purposes. We do not sell your personal information. A list of sub-processors is maintained in our Sub-processor List.
11. Automated Processing
PosturIQ uses automated processing to generate security scores and grades based on configuration assessments. These scores are informational only and do not produce legal effects or similarly significant decisions about individuals. A passing score does not guarantee that your environment is secure. See our Terms of Service for full disclaimers.
12. Your Rights
For all users
Regardless of your location, you may:
- Request access to the personal data we hold about you.
- Request deletion of your personal data.
- Request correction of inaccurate data.
- Organization owners can remove users and devices directly from within the service.
Additional rights for EU/EEA users (GDPR)
- Restrict processing (Art. 18)
- Data portability - receive your data in a structured format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) at tietosuoja.fi
Additional rights for California residents (CCPA/CPRA)
- Right to know what personal information we collect and how it is used.
- Right to delete your personal information.
- Right to opt-out of sale - we do not sell your personal information.
- Right to non-discrimination - we will not discriminate against you for exercising your rights.
- PosturIQ does not use personal information for profiling or targeted advertising.
Additional rights for UK users
You have equivalent rights under the UK GDPR. You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
13. Cookies
PosturIQ uses a single essential session cookie (session_token) to keep you signed in. It is HTTPS-only, not accessible to JavaScript, and expires after 12 hours. We do not use advertising, analytics, or third-party tracking cookies of any kind.
14. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated through the service.
15. Contact
For privacy-related questions, contact us at privacy@posturiq.com.
For general support, contact us at support@posturiq.com.