security & trust

Built for the procurement questionnaire.

Templ8r reads from your Dynamics 365 tenant on your users’ behalf and writes generated documents back to the originating record’s timeline. Below is exactly what runs where, who can see what, and which third parties touch your data.

UK GDPR — registeredAzure UK South + EU NorthManaged-identity storageTenant isolation by constructionISO 27001 — controls aligned, cert FY27SOC 2 Type I — FY27

last reviewed · 2026-05-22 · contact: security@templ8r.co.uk

01 · where data lives

Hosting and data residency

Templ8r’s control plane runs entirely in Microsoft Azure datacentres in the UK and EU. No customer data, template binary, or generation log leaves these regions.

App + APIAzure App Service · UK South

Templates DBAzure SQL · EU North · TDE encryption at rest

Template filesAzure Blob Storage · prefix {tenantId}/{blobId}· per-tenant managed-identity access · AES-256 at rest

Customer DataverseStays in your tenant. Templ8r reads only — never persisted on our side except as a snapshot for audit replay.

Generated outputsWritten back to the originating D365 record as a Note (Annotation) and held in Blob for 30 days as a re-download fallback. Customer-deletable on request.

02 · who can do what

Identity & access control

Templ8r is a multi-tenant Microsoft Entra ID application. Sign-on is delegated to your existing identity provider — there is no separate Templ8r account, password, or username.

→Admin-consent flow: a single grant by your Global Admin lights up Templ8r for the whole tenant. No per-user OAuth dance.
→Customer-controlled app user inside Dataverse — pin the security roles, scope the entity coverage, revoke at any time.
→JWTs are short-lived (15 minutes) and carry tenant_id, user_id, dataverse_url as signed claims. Every DB query and blob read is scoped by the tenant claim — cross-tenant access is impossible by construction.
→Template visibility honours D365 security roles. A user only sees templates published to roles they hold.

03 · encryption

In transit and at rest

TransportTLS 1.2+ enforced on every public endpoint. HSTS preload on www. No plaintext fallback.

At rest — DBAzure SQL Transparent Data Encryption (AES-256), Microsoft-managed keys.

At rest — BlobAzure Storage Service Encryption (AES-256), Microsoft-managed keys. Customer-managed keys (CMK) available on Enterprise tier.

SecretsAzure Key Vault. No secrets in source, in CI logs, or in environment files committed to git.

Storage credentialsManaged Identity — no shared keys, no SAS tokens in the codebase or pipeline.

04 · tenant isolation

One tenant cannot see another

Multi-tenant isolation isn’t a permission check we have to remember to write. The shape of the data layer rules it out.

→Every persisted record carries tenant_id = your Dataverse OrganizationId. Every query filters on it.
→Blob paths are prefixed {tenantId}/{blobId}. Managed-identity binding restricts the API’s effective permission to its own prefix.
→The JWT claim is the single source of truth — it is signed server-side and not re-derivable from a request. A tampered client cannot widen its tenant scope.
→There is no shared admin UI across tenants. Templ8r staff cannot enumerate customer data from a console — read access requires the same tenant-scoped flow.

05 · audit & retention

What we log, how long we keep it

Generation auditImmutable row per generation: caller (Entra UPN), tenant, template id + snapshot, record id, status, timestamp, output blob id. Append-only. Exportable as CSV or via signed API.

Snapshot pinningThe audit row pins the exact template binary that ran. Rename, archive, or delete the template later — the audit row stays queryable and the snapshot stays readable.

Output retention30 days in Blob as a re-download fallback. Then deleted. The Note on the D365 timeline lives in the customer's Dataverse and is governed by their own retention policy.

Diagnostic logsApp-level logs in Azure Application Insights. PII-light by design — record IDs, not record contents. 30-day retention, then purged.

Right to erasureOn written request from the tenant admin, all template binaries, audit rows, and generated outputs for that tenant are purged within 30 days, with a delete confirmation.

06 · sub-processors

Who else touches your data

We use the minimum number of third parties needed to run the service. The list is short and stable.

providerpurposedata categoryregion

Microsoft AzureHosting, storage, SQL, identity, observabilityTenant id, templates, generation audit, output blobsUK South · EU North

Microsoft Entra IDIdentity provider for sign-onEntra UPN, object id, tenant idGlobal (your tenant home region)

StripeSubscription billing & payment processingBilling email, company name, card last-4 (held by Stripe, not us)EU · UK

GitHubSource code hosting and CISource code only — no customer dataUS (no customer-data flow)

Any change to this list is notified to active subscribers at least 30 days before the new sub-processor receives data. Mail security@templ8r.co.uk to be added to the change notice list.

07 · compliance posture

What we have today, what we’re working towards

We are deliberately honest about the difference between certified and aligned.

Live

UK GDPR (UK Data Protection Act 2018)

Registered with the ICO. DPA available on request to active customers and qualified prospects.

Live

Cyber Essentials

Self-assessed against the controls. Cert audit scheduled FY26 Q4.

Roadmap

ISO 27001:2022

Internal controls mapped against Annex A. External certification audit planned FY27. Statement of Applicability available on request.

Roadmap

SOC 2 Type I

Targeted FY27 — driven by enterprise customer demand. Trust Services Criteria gap analysis complete.

Operating

Penetration test

Annual external pen test against the API and authoring portal. Latest summary report (redacted) available under NDA.

08 · incident response

If something goes wrong

We aim to notify affected tenant admins within 24 hours of confirming a security incident that may have affected their data. Notice includes scope, root cause, remediation steps, and a follow-up post-mortem inside 7 days.

Disclose a vulnerabilitysecurity@templ8r.co.uk

Status pagestatus.templ8r.co.uk

Response windowTriage within 1 working day. Severe vulnerabilities acknowledged inside 4 hours, 09:00–18:00 UK.

09 · open posture

Auditable by design

The Templ8r document-generation engine is open source. Procurement and your security team can read the binding compiler, the Dataverse fetch layer, and the merge pipeline directly — no NDA, no on-site visit.

github.com/T-Biggs/templ8r ↗

questionnaires

Need this in your procurement format?

SIG-Lite, CAIQ, and bespoke RFPs are all welcome. We aim to return a populated questionnaire within 5 working days. DPA, Statement of Applicability, and redacted pen-test summary on request under NDA.

Request a security pack →Walk through it on a call