HelpSecurity & data

Where does my data live? + how to delete it

Customer records stay in your Dataverse — we read at generation time and discard. Generated docs are stored in our Azure Blob (UK South, per-tenant path) by default. Switch to ephemeral mode to skip our storage entirely.

Updated 2026-05-09

Templ8r is built around the principle that your customer records never leave your Dataverse. We process them at the exact moment a generation request fires, then discard. The generated document is what flows back — into your D365 Timeline as a Note, and (by default) into our Azure Blob storage as a copy you can re-download.

Data residency

  • Primary region: Azure UK South (London).
  • Backup database replica: North Europe (Ireland) — geo-paired secondary, encrypted at rest.
  • Customer records (yours): stay in the Microsoft Dataverse region you chose at provisioning. Templ8r reads them in-memory only at generation time.

What we store, where

In your Dataverse (we don't touch except as listed)

  • Customer records you generate from — read-only. We never write them.
  • Notes (annotations) — created by us on Timeline, hold the generated document.

In our Azure SQL (UK South, per-tenant rows)

  • Tenant identifier, Dataverse URL, Entra tenant id, display name, last-seen.
  • Templates you uploaded (metadata + binding spec).
  • Audit log: which template ran against which record, when, by whom, did it succeed.

In our Azure Blob (UK South, per-tenant path, AES-256)

  • Templates you uploaded (the .docx/.xlsx source).
  • Generated documents (Word + PDF copies). Ephemeral mode customers: not stored — see below.
Ephemeral mode — opt out of our blob entirely
Tenant settings → Output retention → "Strict (no blob storage)". Generated docs flow straight to your Timeline annotation and are never persisted by Templ8r. The audit row still records that a generation happened (without the payload). For customers whose policies forbid third-party retention of customer record data.

Encryption

  • At rest (SQL): TDE with platform-managed keys (AES-256).
  • At rest (Blob): Storage Service Encryption (AES-256).
  • At rest (Key Vault): HSM-backed (FIPS 140-2 Level 2).
  • In transit: TLS 1.2+ enforced everywhere — from your D365 to us, from us to Microsoft Dataverse, from us to our own Azure resources.

Tenant isolation

Every API request we serve is scoped by your Dataverse OrganizationId — encoded in a JWT we issue only after verifying the calling user against your Dataverse via WhoAmI. SQL queries always filter on tenant id at the WHERE clause. Blob paths are prefixed with the tenant id. Cross-tenant access would require forging a JWT, which would require our HMAC signing key (held in Azure Key Vault, accessible only by the API container's managed identity).

Deleting your data

Off-boarding takes ~30 days end-to-end and cleans up the lot:

  1. You email privacy@templ8r.co.uk from a contact authorised under the DPA.
  2. Optional: we export your templates as .docx + audit log as CSV before deletion.
  3. We run our offboard script (cascade delete of all rows tied to your tenant id) — instant from our SQL + Blob side.
  4. Stripe subscription cancelled in the Dashboard.
  5. Backups: your data persists in the 35-day rolling backup window, then is overwritten.
  6. You receive written confirmation per the DPA's clause 3.9.

Sub-processors

  • Microsoft Azure (UK South + North Europe backup) — hosting (compute, SQL, Blob, Key Vault, Service Bus, Application Insights).
  • Microsoft Entra ID — customer identity federation.
  • Stripe (post-GA only) — billing. Templ8r passes only billing contact details + payment metadata; never customer records or templates.

We give 30 days' written notice before adding any new sub-processor.

The legal pack

Our DPA + DPIA are available on request. Email privacy@templ8r.co.uk. Pre-GA customers get the current draft (Markdown source); GA customers get a co-counter-signed PDF.

Related
This help didn’t solve your problem?Email support →