Security
Last updated: July 2026
Our approach
AuPoint helps organisations secure and bring their Microsoft Intune fleet into compliance. Such a tool handles sensitive data, so we apply to our own product the very principles we recommend to customers — least privilege, defence in depth, end-to-end encryption and full traceability. This page describes concretely how AuPoint is built, hosted and operated.
Secure development
- No change reaches production directly: every change goes through a pull request on a version-controlled repository (Git).
- Mandatory code review before merge: every pull request is reviewed, with a dedicated security review on sensitive areas.
- Continuous integration: on every pull request the codebase is checked automatically (strict TypeScript typing, unit tests, build); a PR can only be merged when everything is green.
- Strictly separated test and production environments: development and QA happen on dedicated environments, isolated from production data, each with its own database and secrets.
- Secrets management: no secret is stored in code. Keys and credentials are injected via encrypted environment variables, with distinct values per environment.
- Static application security testing (SAST) on every pull request: AI-assisted security review (Claude) and GitHub Security (code scanning), to catch flaws before merge.
- Dependencies monitored and kept up to date automatically via Dependabot (continuous vulnerability alerts and patch pull requests).
- Hard-coded guardrails around destructive operations (see below).
Authentication and access
- Sign-in exclusively through Microsoft SSO (Entra ID): AuPoint neither manages nor stores any password.
- Microsoft Graph access is application-only, with the strict minimum permissions required (least privilege).
- Roles and permissions (RBAC): every action is checked against the user's role (owner, admin, viewer) and scoped per tenant.
- A break-glass account is always excluded from Conditional Access rules to prevent lock-out.
Data protection
- No user access token and no Microsoft customer secret is ever stored in our database.
- Encryption at rest: database encrypted (AES-256) at the disk level, plus an additional field-level encryption (AES-256-GCM) on sensitive data (audit logs, device inventory, scanned policies).
- Encryption in transit: all traffic uses TLS 1.2 or higher.
- Append-only audit log: every write action is recorded with its author and timestamp, with no possibility of modification.
- Deletion guardrail: before deleting anything in your tenant (app, group, policy), AuPoint verifies the object was created by AuPoint; otherwise the deletion is refused. We can never touch a resource we did not create.
- Strict multi-tenant isolation and a capped per-organisation AI usage budget.
Hosting and location
The application and database are hosted in the European Union (Frankfurt). Microsoft processing (identity, Graph) stays within Microsoft's scope. Any transfers outside the EU are governed by standard contractual clauses and, where applicable, the EU-US Data Privacy Framework.
Providers and their certifications
AuPoint relies on established infrastructure services that publish their own security certifications:
| Provider | Role | Certifications |
|---|---|---|
| Microsoft (Entra ID, Intune, Graph) | Identity and management API | ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI DSS |
| Vercel Inc. | Application hosting (EU) | SOC 2 Type II |
| Neon Inc. | PostgreSQL database (EU) | SOC 2 Type II, ISO 27001 |
| Anthropic | AI mini-agents (analysis, explanations) | SOC 2 Type II, ISO 42001 |
| Stripe Payments Europe Ltd. | Payments and billing | PCI DSS Level 1, SOC 1/2 |
| Resend Inc. | Transactional email | SOC 2 Type II |
| HostedScan LLC | Continuous vulnerability testing | OWASP, réseau, TLS |
The certifications listed are those published by the respective providers; refer to their trust centres for up-to-date attestations.
Testing and monitoring
Continuous vulnerability testing is operated through HostedScan (OWASP, network and TLS scans), without processing customer data. Availability and application errors are monitored continuously, and the audit log lets us trace every action.
Compliance
AuPoint is designed to help its customers align with the ISO 27001, NIS2 and GDPR frameworks: the deployed controls are mapped to these frameworks, and reports measure coverage. AuPoint acts as a processor (Art. 28 GDPR) for your tenant data, your organisation remaining the data controller.
Responsible disclosure
Think you found a vulnerability? Contact us at support@shelaon.com with the details needed to reproduce it. We acknowledge reports promptly and treat them as a priority. Please do not publicly disclose an issue before it is fixed.