# Security + Public SQL
#### Security
To ensure confidentiality and privacy, our application has these features:
* All data is encrypted at rest and in transit.
* Container App uses Entra Id and access token validation to enable SSO,
* Outbound data contains no personal data, only data used for billing or handcraftet operational signals to ensure no personal data in error messages.
* Billing information only contains the number of billable user accounts found in Entra Id and Managed Application identifier.
* The Managed Application uses [Managed Identity](https://docs.bsure.io/technical-description/permissions-required#managed-identity-that-holds-these-permissions) to access MS Graph with read only.
* Azure Keyvault for secrets (Bsure personnel cannot access these secrets).
* SQL only supports identities from the customer tenant, Entra Id only login.
#### Example Bsure personnel accessing the Key Vault:
The Keyvault resides in the Managed Resource Group, but Bsure have no access to access the secrets.
Bsure have the Contributor RBAC role, which is not sufficient to read secrets, or elevate permission.
**References:**
Azure built-in RBAC roles:
Azure built-in roles for Key Vault data plane operations:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.bsure.io/technical-description/security-+-public-sql.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.