MSP License Tracker
Sign in
Security First

Enterprise-Grade Security for Your MSP Data

We take read-only seriously. Your Microsoft 365 tokens are encrypted, your emails are never touched, and you can revoke access at any time.

How We Protect Your Data

Every layer of MSP License Tracker is designed around minimal access and maximum encryption.

Read-Only Microsoft Access

We never modify your Microsoft 365 data. OAuth scopes are limited to reading license information, organization details, and sign-in activity — nothing else.

AES-256-GCM Token Encryption

All Microsoft OAuth refresh tokens are encrypted at rest using AES-256-GCM before being written to the database. Tokens are never stored in plain text.

No Email or File Access

Our Microsoft Graph permissions explicitly exclude mailbox contents, SharePoint files, Teams messages, passwords, and payment card numbers.

TLS 1.3 in Transit

All data exchanged between your browser, our servers, and Microsoft Graph APIs is encrypted in transit using modern TLS. HTTP connections are rejected.

Multi-Factor Authentication

MFA is supported via SMS, TOTP authenticator apps, or backup codes through our Clerk authentication provider.

GDPR Ready

Data processing agreements available on request. User data export and account deletion tools are built in. Contact support@msplicensetracker.com.

Infrastructure Security

Hosted on Vercel (frontend) and Railway (PostgreSQL). Database connections are private-network only. No public database access.

Token Revocation

Revoke Microsoft OAuth consent at any time from your Microsoft admin portal or by removing the tenant inside MSP License Tracker.

Honest Compliance Posture

We are not yet SOC 2 certified and won't pretend otherwise. Instead, this page documents exactly what we access, how it's stored, and how to revoke it. DPAs available on request.

Exact Microsoft Graph Permissions We Request

No hidden scopes. Here is every permission MSP License Tracker requests and exactly why.

Microsoft Graph OAuth Scopes

Organization.Read.All

Read tenant display name and verified domain

Directory.Read.All

Read users and directory objects

LicenseAssignment.Read.All

Read per-user license assignments

User.Read.All

Read user profiles and sign-in timestamps

offline_access

Maintain a refresh token to sync on your schedule

We never request mail, files, calendar, Teams messages, or write permissions of any kind.

How Your Tokens Are Handled, Step by Step

The plain-English version of our token lifecycle — what we store, how, and how to make us lose access.

1. Consent

You sign in to the client tenant and approve the read-only scopes listed above via Microsoft's standard OAuth consent screen. We never see the password — Microsoft hands us tokens directly.

2. Encryption at rest

The refresh token is encrypted with AES-256-GCM before it touches the database. The encryption key lives only in the application server's environment configuration — it is never stored alongside the data, never logged, and never sent to the browser.

3. Use

At sync time the server decrypts the refresh token in memory, exchanges it with Microsoft for a short-lived access token over TLS, pulls license and sign-in metadata, and discards the access token when the sync completes. Tokens are never written to logs or error reports.

4. Rotation

When Microsoft issues a new refresh token during the exchange, the old one is replaced immediately — re-encrypted with the same key, old value overwritten.

5. Revocation — you hold the kill switch

Delete the tenant in MSP License Tracker and its tokens and synced data are removed. Or revoke from your side: remove the enterprise application's consent in the Microsoft Entra admin center and every token we hold for that tenant stops working instantly, no action from us required.

Ready to See What You're Missing?

Start your 14-day free trial. Read-only access. No credit card required.