Data Security
Patchly takes data security seriously. This page explains what data we access, how it’s stored, and how it’s protected.
What Data Patchly Accesses
Patchly uses read-only, application-level API permissions. We never:
- Modify data in your environment
- Impersonate users
- Access email content, file contents, or chat messages
Data We Collect
| Data Type | Source | Purpose |
|---|---|---|
| Vulnerability findings | Microsoft Defender | Core security analysis |
| Device inventory | Microsoft Defender | Device criticality scoring |
| Software inventory | Microsoft Defender | Software exposure mapping |
| Security alerts | Microsoft Defender | Alert correlation |
| Security recommendations | Microsoft Defender | Remediation guidance |
| User directory | Microsoft Graph | User criticality scoring |
| Group membership | Microsoft Graph | Access context |
| Sign-in activity | Microsoft Graph | Usage pattern analysis |
| Directory roles | Entra ID | Admin role identification |
Data We Don’t Collect
- Email content or attachments
- File contents (OneDrive, SharePoint)
- Chat messages (Teams)
- Passwords or credentials
- Personal documents
How Data Is Stored
Tenant Isolation
Each customer’s data is stored in a separate, isolated partition. Data from different customers is never co-mingled in queries or processing.
Encryption
- At rest: All data is encrypted using Azure Storage Service Encryption (AES-256)
- In transit: All API calls use TLS 1.2+
- Authentication: Certificate-based authentication (no shared secrets)
Storage Location
All data is stored in Azure Blob Storage in the East US 2 region. Data never leaves the Azure environment.
Retention
- Vulnerability and device data: Retained for 90 days, then automatically deleted
- Reference data (NVD, EPSS, KEV): Retained indefinitely (public data)
- Curated findings: Retained for 90 days
Authentication
Your Connection to Patchly
Patchly uses certificate-based authentication to access your Microsoft APIs. This is more secure than client secrets because:
- Certificates can’t be accidentally exposed in logs
- Certificates are stored in Azure Key Vault with access policies
- Certificate rotation doesn’t require sharing secrets
Your Users Accessing Patchly
Users access the Patchly dashboard via Microsoft Entra ID single sign-on. No separate passwords required.
Compliance
- All API permissions follow the principle of least privilege (read-only, application-level)
- Data access is logged and auditable
- Customer data can be fully deleted upon request
Questions?
Contact security@patchly.ai for security-related questions or to request our security documentation.