365 Security Evaluation Tool Privacy Policy
Digital Bunker 365
By TetherView
Effective Date: July, 9 2026
365 Security Evaluation Tool is a Microsoft 365 security assessment tool built by Digital Bunker 365 (by TetherView). This policy explains what information the tool accesses when it runs against your Microsoft 365 tenant, how that information is used and protected, and what control you have over it. It applies specifically to 365 Security Evaluation Tool and is separate from Digital Bunker 365's general Terms of Use.
1. Information The Tool Accesses
When your organization's administrator runs 365 Security Evaluation Tool and grants consent, the tool reads the following categories of information from your Microsoft 365 tenant, using the permissions your administrator explicitly approves:
-
-
Directory information: user names, usernames (UPNs), assigned roles, group and guest membership
-
Sign-in and audit activity: sign-in logs, audit log entries, and multi-factor authentication registration status
-
Device compliance data: Intune device compliance policies and status
-
Security configuration: Conditional Access policies, authentication policies, data loss prevention policies, sensitivity labels, app registrations and OAuth consent grants
-
Risk and scoring data: identity risk detections, Microsoft Secure Score
-
Governance settings: access reviews, Privileged Identity Management (PIM) eligible assignments
-
Service configuration: Exchange Online, SharePoint Online, and Microsoft Teams tenant-level settings
-
365 Security Evaluation Tool has read-only access. It never creates, modifies, or deletes anything in your tenant. It does not access the content of emails, files, or chat messages, and it does not access health or financial information.
2. How Information is Used, Stored, and Secured
Information collected during a scan is used solely to generate the security assessment report for your organization. It exists only in memory for the duration of the scan. The completed report is transmitted to Digital Bunker 365 over encrypted connections (HTTPS/TLS). Any copy of the full technical report generated on the administrator's own machine during the scan is deleted immediately after delivery.
Digital Bunker 365 retains the delivered report for 180 days, after which it is securely deleted unless you request otherwise.
3. Who Information Is Disclosed To
The completed assessment report is disclosed to Digital Bunker 365 as the party performing the assessment on your organization's behalf. Microsoft processes the underlying API requests as the platform provider (Microsoft Graph, Exchange Online, SharePoint Online, and Microsoft Teams). This is inherent to how the tool connects to your tenant, not a separate disclosure by us.
We do not sell your information, share it with advertisers, or provide it to any other third party.
4. Your Controls
Your organization's administrator can, at any time:
-
-
Revoke 365 Security Evaluation Tool's access immediately by removing the app registration under Microsoft Entra admin center → Enterprise applications → 365 Security Evaluation Tool → Delete
- Request deletion of any retained report by contacting support@digitalbunker365.com
-
5. How You Can Access Your Information
At the end of every scan, a summary is provided directly to your organization, showing your overall compliance percentage, the number of controls evaluated, and an overall risk level. To request the full detailed report, or a record of exactly what data was collected during your assessment, contact support@digitalbunker365.com.
6. Legal Basis and Compliance
For the purposes of applicable data protection law (including the GDPR and CCPA/CPRA where relevant), your organization is the data controller for your own users' information. Digital Bunker 365 acts as a data processor / service provider, processing that information solely under your administrator's explicit authorization and for the sole purpose of delivering the requested security assessment. We process information in accordance with applicable data protection laws and will honor valid requests relating to access, correction, or deletion consistent with those laws.
7. Changes to This Policy
We will update this policy as 365 Security Evaluation Tool's functionality or data access changes. Material changes will be reflected in the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
8. Data Retention
Questions about this policy or 365 Security Evaluation Tool's data practices? Contact us at support@digitalbunker365.com.