Security Program · Continuously Operated

Vigilance, Engineered In

We hold the keys to sensitive systems — so we operate under stricter controls than we ask of anyone else. Every permission is scoped, every session expires, and every action lands in your audit log, not ours.

Last updated: July 2026

Zero Standing admin access — ever
100% Actions logged in your tenant
JIT Elevation expires on completion
24/7 Follow-the-sun vigilance
Operating Principles

How We Access Your Environment

Six rules we never break — on any engagement, for any client.

Least-Privilege by Default

We request only the permissions a task needs — scoped, reviewed, and nothing more.

Time-Bound, No Standing Admin

Just-in-time elevation that expires on completion. No permanent admin accounts left behind.

MFA & Conditional Access

Multi-factor and conditional access enforced on every account we touch — including our own.

Your Data Stays in Your Tenant

Telemetry and logs remain in your own Microsoft cloud and chosen Azure region.

Fully Auditable

Every action is logged in your tenant. You can review exactly what we did, and when.

Clean Offboarding

Access is revoked the moment an engagement ends — no lingering accounts, tokens, or secrets.

The Lifecycle of Our Access

Watched From First Login to Last Logout

Vigilance isn't a policy document — it's how every engagement actually runs.

  • Access Is Requested, Never Assumed

    Each task begins with a scoped permission request you approve — named engineers, defined roles, stated purpose.

  • Elevation Is Just-in-Time

    Privileged roles activate through PIM for the duration of the task and expire automatically — no waiting for someone to remember to revoke.

  • Every Action Leaves a Trail

    All changes are recorded in your tenant's audit log as they happen. You can replay our work, line by line, at any time.

  • Exit Is as Clean as Entry

    When an engagement ends, accounts, tokens, and secrets are revoked the same day — and we confirm it to you in writing.

Access Posture

Just‑in‑Time

Privileged access, activated only when needed

ScopedEnforced
Time-BoundEnforced
AuditedEnforced
RevokedVerified
Data Protection

Where Your Data Lives & Who Touches It

Engineered so your data never leaves your control by default.

Data Residency

We operate within your Microsoft tenant and the Azure region you select. Telemetry, logs, and workloads remain subject to your compliance obligations — never exported to Swardnet systems.

  • Americas
  • Europe
  • UK
  • Asia-Pacific
  • Middle East
  • Australia

Sub-Processors

We keep the number of sub-processors deliberately small. A current, itemized list — including purpose and data location — is provided before onboarding and on request.

Request the sub-processor list →
Responsible Disclosure

Report a Vulnerability

We welcome reports from security researchers and treat them with priority.

How to Report

Email info@swardnet.com with enough detail to reproduce the issue. Please allow us a reasonable opportunity to remediate before public disclosure.

Our machine-readable policy is published at /.well-known/security.txt.

What to Expect

  • Acknowledgement of your report
  • An assessment and remediation plan
  • Coordinated disclosure timing
  • Credit where you would like it
Talk to Security

Put Our Program Under the Microscope

DPAs, sub-processor lists, attestation status, security questionnaires — ask for anything. Transparency is the product.

info@swardnet.com