# Security​

To ensure confidentiality and privacy, our application has these features:

* All data is encrypted at rest and in transit​.
* No inbound connectivity to the Managed Application​.
* Outbound to customer storage only (exception, billable user count goes to MS Billing API) ​.
* Information used for billing (user object id) is salted and hashed​ and stored in a Storage Account in the Managed Resource Group.
* The Managed Application uses [Managed Identity](https://docs.bsure.io/v1/permissions-required#managed-identity-that-holds-these-permissions) to access MS Graph with read only​.
* Azure Keyvault for secrets (Bsure personnel cannot access these secrets)​. The connection string to the Storage Account (provided by you - BYOSA[^1]) where user data is stored.

### Examples

#### Example showing how the billing information is salted and hashed:

<figure><img src="https://content.gitbook.com/content/8ZA9wzEc66a3iRTBh11w/blobs/rD44XGYeQwTftKvkNDf3/image.png" alt=""><figcaption></figcaption></figure>

#### Example Bsure personnel accessing the Key Vault:

The Keyvault resides in the Managed Resource Group, but Bsure have no access to access the secrets.&#x20;

<figure><img src="https://content.gitbook.com/content/8ZA9wzEc66a3iRTBh11w/blobs/V3VqDdWTpOq8pp1rRuI2/image.png" alt=""><figcaption></figcaption></figure>

Bsure have the Contributor RBAC role, which is not sufficient to read secrets, or elevate permission.&#x20;

<figure><img src="https://content.gitbook.com/content/8ZA9wzEc66a3iRTBh11w/blobs/SQWNwtfvWtVwgvMX6cZP/image.png" alt=""><figcaption></figcaption></figure>

**References:**&#x20;

Azure built-in RBAC roles: <https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles>

Azure built-in roles for Key Vault data plane operations: <https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations>

[^1]: Bring Your Own Storage Account