# Security + Public SQL

#### Security​ 

To ensure confidentiality and privacy, our application has these features: 

* All data is encrypted at rest and in transit​. 
* Container App uses Entra Id and access token validation to enable SSO, 
* Outbound data contains no personal data, only data used for billing or handcraftet operational signals to ensure no personal data in error messages. 
* Billing information only contains the number of billable user accounts found in Entra Id and Managed Application identifier. 
* The Managed Application uses [Managed Identity](https://docs.bsure.io/technical-description/permissions-required#managed-identity-that-holds-these-permissions) to access MS Graph with read only​. 
* Azure Keyvault for secrets (Bsure personnel cannot access these secrets)​.
* SQL only supports identities from the customer tenant, Entra Id only login. 

#### Example Bsure personnel accessing the Key Vault:

The Keyvault resides in the Managed Resource Group, but Bsure have no access to access the secrets. 

<figure><img src="https://content.gitbook.com/content/ygloFyyKhIYtV62dMZJc/blobs/KMtKoQvJcJB2n3ctLBZw/image.png" alt=""><figcaption></figcaption></figure>

Bsure have the Contributor RBAC role, which is not sufficient to read secrets, or elevate permission.&#x20;

<figure><img src="https://content.gitbook.com/content/ygloFyyKhIYtV62dMZJc/blobs/dnvH7juvLNNfYAaoiBQ4/image.png" alt=""><figcaption></figcaption></figure>

**References:**&#x20;

Azure built-in RBAC roles: <https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles>

Azure built-in roles for Key Vault data plane operations: <https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations>