Legal

Privacy Policy

Last updated: July 5, 2026

The plain-English version

We read your Microsoft 365 and Azure configuration — settings, policies, and security posture — never the content of your files, mailboxes, or chats. We keep scan history so you can see changes over time, and we delete it when you leave.

Payments run through Stripe, so we never see your card number. We don’t sell data, we don’t run ad trackers, and we don’t train AI models on your data. Questions or deletion requests: [email protected].

The summary is here to help you read — the full text below is what applies.

01What this policy covers

This policy explains what Tenant Strike — operated by Boltaic LLC, a Texas limited liability company doing business as Tenant Strike (“we”, “us”) — collects when you visit tenantstrike.com, use the Tenant Strike dashboard, or connect a Microsoft tenant for scanning — and why we collect it, who we share it with, and how long we keep it.

For the data our scanner reads from your tenant, your organization decides what we process and remains the owner of that data; we process it on your instructions to provide the service. If your organization needs a data processing agreement, email [email protected].

02What we collect

Account data. When you sign up: your name, work email address, and organization/tenant name. If teammates are invited, the same for them.

Tenant configuration data. When your administrator grants consent, we read security-relevant configuration through Microsoft’s Graph and Azure Resource Manager APIs using read-only permissions — every endpoint we call is published on our trust page. This includes things like sign-in and MFA policies, admin role assignments, email authentication records, sharing settings, app-consent grants, device compliance status, and Azure resource configuration. Some of it is personal data about your tenant’s users — names, email addresses, roles, and security status (for example, “this admin account has no MFA”). We never read the contents of files, mailboxes, messages, or chats — the permissions we hold don’t allow it.

External attack-surface data. For domains and portal URLs you list, we collect publicly observable information: DNS records, TLS certificate details, certificate-transparency history, exposed ports and service banners, and security headers.

Billing data. Payments are processed by Stripe. We store your Stripe customer and subscription identifiers and your plan status — your card details go to Stripe, never to us.

Usage and log data. Standard server logs (IP address, browser type, pages requested) and an audit log of significant actions in your account (who ran a scan, who changed a setting), kept for security and support.

Cookies. The dashboard uses cookies strictly to keep you signed in. The marketing site (tenantstrike.com) sets no analytics or advertising cookies and runs no third-party trackers.

03How we use it

  • run scans, generate reports, and track configuration drift over time;
  • send you service email — scan results, drift and vulnerability alerts you've enabled, billing notices, and important account or policy updates;
  • provide support when you contact us;
  • bill you and prevent abuse of the service;
  • secure, debug, and improve the service.

We do not sell your data, use it for third-party advertising, or use your tenant data to train machine-learning models. We may publish aggregated, anonymized statistics (for example, “X% of tenants we scan have no DMARC policy”) that identify neither you nor your tenant.

04Who we share it with

We share data only with the providers needed to run the service:

  • Microsoft — our infrastructure runs on Microsoft Azure, we read your tenant through Microsoft’s APIs, and notification email is delivered through Microsoft 365. Your scan data is stored on Azure.
  • Stripe — payment processing. Stripe receives your billing details directly; see Stripe’s privacy policy for how they handle them.

To assess your external attack surface, we also query public data sources about the domains you list: certificate-transparency logs (crt.sh), internet-scan datasets (Shodan/InternetDB), and DNS resolution via Cloudflare’s DNS-over-HTTPS service. These lookups send those services your domain names or IP addresses (information already public in DNS), and only public data comes back. Threat-intelligence feeds we use (such as abuse.ch blocklists) are downloaded in bulk — nothing about you is sent to them.

Beyond that, we disclose data only if required by law (we’ll notify you unless legally barred), to protect the rights or safety of Tenant Strike or others, or as part of a merger or acquisition — in which case this policy continues to apply to your data and we’ll notify you of any change in ownership.

05How we protect it

Access to your tenant uses Microsoft’s OAuth admin-consent flow with read-only permissions — we never see or store your users’ passwords, and you can revoke our access at any time from your Microsoft admin center. Data is encrypted in transit (TLS) and at rest on Azure, application secrets are stored outside the codebase, and internal access to customer data is restricted to the people who operate the service and logged. No system is perfectly secure; if a breach affects your data, we will notify you without undue delay.

06How long we keep it

  • Scan data and history — kept while your account is active (that history is what powers drift detection), and deleted within 30 days after you close your account or ask us to delete it.
  • Account and audit data — kept while your account is active and for a short period afterward for security and support, then deleted.
  • Billing records — kept as long as tax and accounting law requires.

Residual copies may persist briefly in encrypted backups before those backups are rotated out.

07Your rights and choices

Email [email protected] to access, correct, export, or delete the personal data we hold about you, or to object to or restrict our processing of it. We honor these requests regardless of where you live, subject to verifying that you are the account holder. If your users exercise privacy rights with your organization for data we process on your behalf, we’ll help you fulfill those requests. You can unsubscribe from alert email in the dashboard; service email essential to your account (like billing notices) continues while your account is open.

The service is for businesses and not directed to children under 16; we don’t knowingly collect their data.

08Changes to this policy

If we change this policy materially, we’ll notify you by email or in the dashboard before the change takes effect. The latest version always lives at this page, with the date at the top.

09Contact

Privacy questions, requests, or concerns: [email protected]. A human reads it, usually the founder.