1. Who We Are
This Privacy Policy applies to the dForts Copilot Readiness Monitor (the “Product”), published by dForts (“we”, “us”, “our”) on Microsoft AppSource and distributed as a SharePoint Framework (SPFx) solution.
Contact: support@dforts.com
2. Scope
This policy describes how we collect, use, and protect information when your organization installs and uses the dForts Copilot Readiness Monitor. It applies to all end users within the subscribing Microsoft 365 tenant.
This Product operates primarily within your own Microsoft 365 tenant. The only outbound data transfer to dForts infrastructure is the license validation request described in Section 4.
3. Data Processed Within Your Tenant
The following data is accessed at runtime to perform the oversharing analysis. It is never transmitted to dForts servers and is processed exclusively within your Microsoft 365 environment:
| Data type | Purpose | Storage |
|---|---|---|
| SharePoint site metadata and item IDs | Enumerate sites for tenant-wide report (Premium) | In-memory only |
| File and folder metadata | Identify items with risky permission configurations | In-memory only |
| SharePoint permission assignments | Detect oversharing (Anonymous, Everyone, External, Unique) | In-memory only |
| Scan results summary and logs | Cache results and display history to site owners | Stored in hidden SharePoint lists within your own site |
4. Data Transmitted to dForts
The only information sent to dForts infrastructure is your Microsoft 365 Tenant ID (GUID). This is transmitted via HTTPS to dfortsspcp01-portal.azurewebsites.net at web part load time to verify license status. No personal data, file contents, or SharePoint metadata are transmitted.
5. Microsoft Graph Permissions
The Product requests delegated permissions (Sites.Read.All, Files.Read.All, GroupMember.Read.All, User.Read.All). All permissions are exercised under the delegated identity of the signed-in user and no data leaves the tenant.
6. Data Retention
SharePoint hidden lists (scan cache, acknowledgements, remediation log) are retained indefinitely until the site owner or administrator deletes them. dForts license database stores Tenant ID and subscription details for the duration of the subscription.
7. Legal Basis for Processing (GDPR)
Processing is based on Contract performance (Article 6(1)(b) GDPR) and Legitimate interests (Article 6(1)(f) GDPR) for license validation.
8. Security
All communication between the Product and dForts infrastructure uses HTTPS (TLS 1.2 or higher). SharePoint data never leaves your tenant.
9. Contact
For privacy-related inquiries: support@dforts.com