Trust Center - Microsoft 365
You don't have to take our word for it. Our collector pseudonymises your data on your own machine, before anything is sent: the analysis service only ever receives tokens. And you can check it yourself, in four independent ways.
The mechanism
The collector always follows the same chain. The pseudonymisation key is generated locally and never leaves your machine.
After your consent on the official Microsoft screen, we read your tenant's security configuration, never writing anything to it.
Names, e-mails, identifiers are replaced with tokens on your machine, before anything is sent.
Only the tokens travel to the analysis service. Your real values stay with you.
The report is re-matched to your real labels locally, in your browser.
Fail-closed: by default, everything is tokenised. Only a handful of public Microsoft configuration values (e.g. Enabled, ExternalUserAndGuestSharing) remain in clear text, because they are needed for the evaluation. An unknown value is tokenised, never the other way round.
The four proofs
Each proof relies on a different third party, at a different point in time. None of them asks you to simply trust our word.
Access is granted via an application built on least privilege (the narrowest permissions Microsoft offers for each scope), granted on the official Microsoft consent screen and revocable at any time. The Service never writes, modifies or deletes anything.
The collector can only reach a single application destination, declared in manifest.json (host_permissions + CSP connect-src). Everything else is Microsoft.
The code that runs on your machine is the code that is published. The boundary is readable: pseudonymize.mjs and the keepClear() function in pseudo_whitelist.mjs. SHA256SUMS fingerprints, reproducible build.
The published code is timestamped by an independent third party (Internet Archive), so it can be proven after the fact that what was running was indeed what was declared.
In practice
The boundary is clear: your identities become tokens; only public configuration values remain readable.
What NEVER leaves (tokenised)
What is sent (tokens + public config)
What isn't public
They aren't needed to check our confidentiality promise: whatever the server does, it only ever receives tokens. That is precisely what the public repository lets you check. Every rule in the catalogue is also tied to an official source: we index what already exists, we invent nothing.