Last updated: March 2026
This page documents exactly what ButWhy.Cloud queries, what we do with the data, and what we commit to never doing. It exists so that you and your security team can make a fully informed decision before granting consent.
Every security check queries a specific, documented Microsoft Graph API or Azure Resource Manager endpoint. We do not make exploratory queries, fetch additional context, or access any endpoint not listed in our check definitions. The complete list of endpoints is published on our checks page and can be reviewed by anyone before consenting to a scan.
We do not perform bulk data exports, data dumps, or pagination beyond what is required to evaluate a specific check. Each API call is scoped to the minimum fields and records needed. We do not cache API responses, retain raw API output, or store anything beyond the processed check result.
Our checks assess security configuration settings only. We never read, access, or store email bodies, attachments, file contents, Teams messages, SharePoint documents, OneDrive files, calendar entries, or any other user-generated content. The only mail-related checks we perform read transport rules and forwarding configuration — not message content.
All permissions we request are read-only by design. We cannot create, modify, delete, or interfere with any user, group, policy, resource, or setting in your tenant or Azure subscription. This is enforced at the Microsoft API level — read-only permissions do not permit write operations under any circumstances. See butwhy.cloud/permissions for the full permission list.
Your OAuth access token is used exclusively to run the security scan you initiated. It is held in memory only during scan execution — never written to disk, never stored in a database, never logged, and never reused for any subsequent scan or any other purpose. Once the scan completes the token is discarded. Microsoft access tokens also expire automatically after one hour regardless.
Each scan runs in complete isolation. Data from your tenant is never accessible to, shared with, combined with, or compared against data from any other organisation. Your access token is scoped to your tenant only by Microsoft — it cannot be used to access any other tenant. Scan results are stored under a unique scan ID with no cross-tenant linkage.
When a check identifies a misconfiguration we record only the minimum identifying information needed to make the finding actionable — for example a user principal name or resource name. We do not record surrounding data, adjacent records, or any information beyond what directly describes the finding. Evidence strings are capped at 500 characters per finding.
Scan results are used solely to produce your security report. We do not analyse, mine, aggregate, benchmark, or profile your data for any other purpose — including product improvement, training machine learning models, industry research, or commercial use. Your data tells us nothing about your organisation beyond what appears in your report.
Every scan is corroborated by three independent logs. No single party controls all three:
Together these three logs provide a complete, independently verifiable chain of custody from the moment you gave consent to the moment your token was discarded.
Microsoft's Unified Audit Log records not only what was read but confirms that no write, create, update, or delete operations were performed by ButWhy.Cloud during your scan. Because write operations require different permission scopes — which we do not request — any attempt to write would be rejected by Microsoft before it could occur.
Every API endpoint we call is listed on our checks page alongside the permission it requires and the check it serves. There are no hidden queries or undocumented endpoints. Anyone can review the full list before consenting to a scan.
Privacy Policy — Data Processing Agreement — Permissions & Security — FAQ