# Security To ensure confidentiality and privacy, our application has these features: * All data is encrypted at rest and in transit. * No inbound connectivity to the Managed Application. * Outbound to customer storage only (exception, billable user count goes to MS Billing API) . * Information used for billing (user object id) is salted and hashed and stored in a Storage Account in the Managed Resource Group. * The Managed Application uses [Managed Identity](/v1/technical-description/permissions-required.md#managed-identity-that-holds-these-permissions) to access MS Graph with read only. * Azure Keyvault for secrets (Bsure personnel cannot access these secrets). The connection string to the Storage Account (provided by you - BYOSA[^1]) where user data is stored. ### Examples #### Example showing how the billing information is salted and hashed:

#### Example Bsure personnel accessing the Key Vault: The Keyvault resides in the Managed Resource Group, but Bsure have no access to access the secrets.

Bsure have the Contributor RBAC role, which is not sufficient to read secrets, or elevate permission.

**References:** Azure built-in RBAC roles: Azure built-in roles for Key Vault data plane operations: [^1]: Bring Your Own Storage Account --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bsure.io/v1/technical-description/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.