Enterprise trust

Enterprise security for Microsoft 365 cyber recovery.

KavachIQ is built for security-aware and regulated teams. Tenant-scoped access, encryption, immutability, auditability, and compliance-mapped controls from day one.

Request a Demo Security & Procurement

Jump to: Data handling · Procurement FAQ

SECURITY PRINCIPLES

How KavachIQ thinks about trust

A small set of principles drives how the product handles customer data and recovery actions.

Microsoft-native access model

KavachIQ uses Microsoft Entra OAuth admin consent. Your Global Admin approves scoped access. No passwords are stored, only tenant-scoped API tokens.

Tenant-scoped by design

Every backup, snapshot, restore job, and audit record is scoped to a tenant. Cross-tenant access is not a path in the product.

Identity-aware recovery

Identity and workload state are captured and restored together. Recovery actions are logged, attributable, and reversible per object.

Enterprise controls on day one

Encryption, per-tenant keys, immutable storage, SSO, MFA, audit trail, and compliance mapping are built in from the first deployment.

CORE CONTROLS

Controls built into every deployment

Encryption, immutability, access, and logging are enforced from the first tenant onboarded. Not a later upgrade.

Encryption at rest

AES-256-GCM for all stored data. Keys are rotated and managed per tenant.

Per-tenant keys

Each tenant has its own data encryption key, wrapped by a master key. A tenant key compromise cannot expose another tenant.

WORM / immutable backups

Snapshots under a WORM-enabled SLA are locked for the retention window. Deletion is blocked at the storage and API layers until the lock expires.

SSO and MFA

Sign in via Microsoft Entra OIDC. MFA enforcement is inherited from the tenant.

Audit trail

Every privileged action is logged with timestamp, user, tenant, and result. Audit records are exportable for security and compliance review.

Role-based access

Platform admin, MSP admin, tenant admin, and viewer roles. Least-privilege by default. Viewer accounts cannot take destructive actions.

Tenant-scoped access

Every API call and UI action is scoped to an explicit tenant. Cross-tenant operations require platform-admin privileges and produce audit records.

Recovery verification

Checksum validation, policy-active checks, and sign-in tests confirm a recovery actually restored the expected state.

TENANT DATA HANDLING

What KavachIQ does with tenant data, end to end

Six stages that describe the practical lifecycle of tenant data and recovery workflows in KavachIQ. Each stage states what is accessed, what is stored or computed, and how it is protected or controlled.

STAGE 01Connect

Tenant-scoped access through Microsoft Graph.

  • Connection uses Microsoft Entra OAuth admin consent. No passwords are seen or stored.
  • Each workload has its own consent URL that grants only the least-privilege scopes it needs.
  • Access is scoped to a specific tenant. Cross-tenant operations require platform-admin privileges and produce an audit record.
STAGE 02Capture

Identity and workload state are snapshotted on a schedule.

  • Microsoft Entra: 12 object types including users, groups, roles, conditional access policies, OAuth grants, service principals, and administrative units.
  • Microsoft 365 workloads: Exchange Online, OneDrive, SharePoint, and Teams. Granular per-item state is preserved.
  • Signals needed for blast radius and recovery sequencing (change counts, privilege shifts, deletion patterns) are computed at capture time.
STAGE 03Store

Snapshots are protected by encryption and immutability.

  • Customer recovery data is stored in Microsoft Azure Storage in the region configured for the deployment.
  • Encryption at rest uses AES-256-GCM. Each tenant has its own data encryption key, wrapped by a master key.
  • Snapshots under a WORM-enabled SLA are locked for the retention window. Deletion is blocked at the storage and API layers until the lock expires.
  • Storage is tenant-scoped. A tenant key compromise cannot expose another tenant.
STAGE 04Recover

Restore and rollback actions run through guided, controlled workflows.

  • Role-based access gates destructive actions. Platform admin, MSP admin, tenant admin, and viewer roles are least-privilege by default.
  • Recovery follows identity-first order: Entra controls first, critical users next, high-priority content, then broader tenant recovery.
  • Every restore action is attributable per object and produces an audit record before and after execution.
STAGE 05Verify

Recovery ends with evidence, not just a completed job.

  • Checksum validation confirms restored data matches the protected snapshot.
  • Policy-active checks confirm Entra controls like conditional access are enforcing again.
  • Sign-in validation verifies privileged and critical users can authenticate cleanly. A recovery report bundles the timeline, actions, and snapshots used.
STAGE 06Audit

Every privileged action is logged and reviewable.

  • Audit records capture timestamp, user, tenant, action, and result for every privileged API and UI action.
  • Audit records are exportable for security, compliance, and incident review.
  • Deeper review artifacts and questionnaire responses can be requested through [email protected].

For environment-specific retention, residency, or data-processing questions, route requests through [email protected].

COMPLIANCE AND REVIEW

Compliance-mapped controls

KavachIQ controls are mapped to common compliance frameworks. Mapping is an internal evidence exercise and not a substitute for a formal audit report. For audit artifacts, contact the security and procurement path below.

SOC 2

16 controls mapped: access control, encryption, audit, change management, incident response, and monitoring.

🇪🇺
GDPR

8 articles mapped: right to erasure, data portability export, breach notification, and processor obligations.

🏥
HIPAA

14 safeguards mapped: administrative, physical, and technical safeguards for ePHI in Microsoft 365.

🏦
DORA

Digital Operational Resilience Act controls for financial-sector operational recovery mapped against KavachIQ capabilities.

Mapping terminology: "mapped" means KavachIQ controls are cross-referenced to each framework's control IDs with supporting evidence in internal documentation. If your review process requires a SOC 2 report, a DPA, or other formal artifacts, route your request through the security and procurement path.

DEPLOYMENT ARCHITECTURE

How KavachIQ is deployed

The deployment model is built for Microsoft-native operations and enterprise review.

Deployed on Azure

Primary deployment is on Microsoft Azure Container Apps with Azure Storage and Azure Database for PostgreSQL.

Control plane and data plane

Control plane (API, scheduler, UI) is separate from the data plane (snapshot storage). Snapshots live in tenant-scoped, per-tenant-encrypted storage.

Microsoft Graph integration

Built on Microsoft Graph for Entra, Exchange, OneDrive, SharePoint, and Teams. Permissions use least-privilege scopes per workload.

API and onboarding

Documented API for tenant onboarding, workload enablement, and restore operations. OAuth admin consent handles permission grants.

PROCUREMENT FAQ

Questions we hear from security and procurement teams

Short, specific answers to the questions that come up during vendor evaluation. For formal artifacts and questionnaire responses, use the security contact path below.

Do you store our Microsoft 365 credentials?
No. KavachIQ uses Microsoft Entra OAuth admin consent. Your Global Admin approves scoped access, and only a tenant-scoped API token is used. Passwords are never seen or stored.
How is customer access scoped and isolated by tenant?
Every backup, snapshot, restore job, and audit record is scoped to a specific tenant. API calls and UI actions carry an explicit tenant context. Each tenant has its own data encryption key wrapped by a master key, so a tenant key compromise cannot expose another tenant. See the Connect and Store stages in the Data handling section for the end-to-end view.
How are backups protected from deletion or tampering?
Snapshots under a WORM-enabled SLA are locked for the retention window. Deletion is blocked at the storage and API layers until the lock expires. Privileged override requires platform-admin credentials and produces an audit record. The Store stage in the Data handling section describes this in context.
What evidence do you provide to verify recovery?
Recovery verification includes checksum validation against the protected snapshot, policy-active checks that confirm conditional access is enforcing again, and sign-in validation for privileged and critical users. A recovery report bundles the timeline, actions taken, and snapshots used.
What security and compliance documentation can we review?
Public documentation covers security architecture, tenant security, compliance mapping (SOC 2, GDPR, HIPAA, DORA), and API reference. Formal artifacts such as a data processing agreement (DPA), SOC 2 report, or vendor-risk questionnaire responses should be requested through [email protected].
How do security and procurement teams engage with KavachIQ?
Route vendor-risk questionnaires, audit artifact requests, and DPA reviews to [email protected]. For evaluation walkthroughs with an engineer, request a demo. Expect a reply within one business day.
What Microsoft 365 workloads and Entra objects are in scope?
Microsoft Entra (12 object types including users, groups, roles, conditional access, OAuth grants, service principals, and administrative units), Exchange Online, OneDrive, SharePoint, and Teams. Each workload has a scoped consent URL that grants only the permissions it needs.
How is access to recovery actions controlled and audited?
Role-based access gates destructive actions. Platform admin, MSP admin, tenant admin, and viewer roles are least-privilege by default. Every privileged action is logged with timestamp, user, tenant, and result. Audit records are exportable for security and compliance review.

If a question specific to your environment is not covered here, reach out at [email protected].

NEXT STEPS

Security and procurement follow-up

Security reviewers, procurement teams, and risk owners can route requests through the paths below.

Security & Procurement

Vendor-risk questionnaires, SOC 2 requests, DPA, and review artifacts.

[email protected]

Documentation

Security architecture, compliance mapping, tenant security, and API reference.

Review documentation

Talk to the team

Walk through your environment, workloads, and recovery requirements.

Request a Demo

Ready for a security review?

Request a walkthrough of KavachIQ security controls, tenant isolation, and compliance-mapped evidence. Or send a procurement questionnaire directly to the security path.

Request a Demo Security Questions
© 2026 KavachIQ. All rights reserved.