Comment on page
To ensure confidentiality and privacy, our application has these features:
- All data is encrypted at rest and in transit
- No inbound connectivity to the Managed Application
- Outbound to customer storage only (exception, billable user count goes to MS Billing API)
- Information used for billing (user object id) is salted and hashed and stored in a Storage Account in the Managed Resource Group
- Azure Keyvault for secrets (Bsure personnel cannot access these secrets). The connection string to the Storage Account (provided by you - BYOSA) where user data is stored.
The Keyvault resides in the Managed Resource Group, but Bsure have no access to access the secrets.
Bsure have the Contributor RBAC role, which is not sufficient to read secrets, or elevate permission.