Vigilance, Engineered In
We hold the keys to sensitive systems — so we operate under stricter controls than we ask of anyone else. Every permission is scoped, every session expires, and every action lands in your audit log, not ours.
Last updated: July 2026
How We Access Your Environment
Six rules we never break — on any engagement, for any client.
Least-Privilege by Default
We request only the permissions a task needs — scoped, reviewed, and nothing more.
Time-Bound, No Standing Admin
Just-in-time elevation that expires on completion. No permanent admin accounts left behind.
MFA & Conditional Access
Multi-factor and conditional access enforced on every account we touch — including our own.
Your Data Stays in Your Tenant
Telemetry and logs remain in your own Microsoft cloud and chosen Azure region.
Fully Auditable
Every action is logged in your tenant. You can review exactly what we did, and when.
Clean Offboarding
Access is revoked the moment an engagement ends — no lingering accounts, tokens, or secrets.
Watched From First Login to Last Logout
Vigilance isn't a policy document — it's how every engagement actually runs.
-
Access Is Requested, Never Assumed
Each task begins with a scoped permission request you approve — named engineers, defined roles, stated purpose.
-
Elevation Is Just-in-Time
Privileged roles activate through PIM for the duration of the task and expire automatically — no waiting for someone to remember to revoke.
-
Every Action Leaves a Trail
All changes are recorded in your tenant's audit log as they happen. You can replay our work, line by line, at any time.
-
Exit Is as Clean as Entry
When an engagement ends, accounts, tokens, and secrets are revoked the same day — and we confirm it to you in writing.
Access Posture
Privileged access, activated only when needed
Where Your Data Lives & Who Touches It
Engineered so your data never leaves your control by default.
Data Residency
We operate within your Microsoft tenant and the Azure region you select. Telemetry, logs, and workloads remain subject to your compliance obligations — never exported to Swardnet systems.
- Americas
- Europe
- UK
- Asia-Pacific
- Middle East
- Australia
Sub-Processors
We keep the number of sub-processors deliberately small. A current, itemized list — including purpose and data location — is provided before onboarding and on request.
Request the sub-processor list →Report a Vulnerability
We welcome reports from security researchers and treat them with priority.
How to Report
Email info@swardnet.com with enough detail to reproduce the issue. Please allow us a reasonable opportunity to remediate before public disclosure.
Our machine-readable policy is published at /.well-known/security.txt.
What to Expect
- Acknowledgement of your report
- An assessment and remediation plan
- Coordinated disclosure timing
- Credit where you would like it
Put Our Program Under the Microscope
DPAs, sub-processor lists, attestation status, security questionnaires — ask for anything. Transparency is the product.
info@swardnet.com