Overview of data handled by Nova Core
Nova Core manages the following type of customer data:
·Microsoft Entra tenant information and other properties. Part of the information is stored in the product database.
·User metadata (Name, Email) as configured from Microsoft Entra
·Scheduled reports attachment data stored in Azure Blob storage encrypted at rest
·Internal identifier of user (Guid) and access to APIs will be tracked via Application Insight and is encrypted at rest.
·The application does not store or deal with end-user passwords of Microsoft Entra objects.
·The application stores multiple client secret of the application accessing Microsoft Entra ID via MS Graph (some are read-only, some are customer provided ones for white-label deployments). The data are stored in Azure Key Vault and is encrypted at rest.
·The application stores administrative account name and password to perform certain data collection jobs using PowerShell cmdlets. The data are encrypted by the data collection applications public key and stored in Azure Key Vault and is encrypted at rest and in transit.
Admin Consent and Service Principals
Nova Core itself does not require access to the customers Microsoft Entra and Office 365 tenancies. It does however provide capabilities for applications built upon Nova Core to ask and store additional consents and/or service credentials. Nova Core itself will not utilize service principals as entities defined in Microsoft Entra ID by default.
Following is the base consent required by Nova Core (for the Identity application).
In addition to the base consents required by Nova Core additional applications might request additional consents.
Location of customer data
When a customer signs up for Nova, we store metadata about customers organization (incl. tenant metadata) into a centralized storage, which currently resides in EU West/North Azure data centers. Also, any users metadata (email, name) invited to the platform will be stored into the same locations.
Privacy and protection of customer data
The most sensitive customer data processed by Nova Core is the Microsoft Entra tenant metadata. Reporting service also stores into blob storage any attachments, which are being sent to customers. This might be data which is provided by another Nova application and using Nova Cores reporting and alerting shared services.
·Notifications and emails sent through Alerting shared service stores the attachments to Azure Blobs. Data is stored encrypted at rest by Azure. Data in transit is protected by TLS.
·Third party service (SendGrid) is used to send emails with reports. Data transfer to SendGrid is protected by TLS and our API key.
·Other data are stored in SQL. Transparent data encryption is utilized to encrypts databases, backups, and logs at rest.
More information about Azure queues, tables, and blobs:
·https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction
·https://docs.microsoft.com/en-us/azure/security/security-storage-overview
·https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption