Skip to content
Capabilities

Security posture

Permafrost holds read-only OAuth consent into a customer's connected Azure tenants. There is no write-capable token to a customer tenant in our backing store. Tenant isolation is structural, not a policy claim. The operator boundary is audited and surfaced to the customer when active.

Read-only consent by default

Permafrost ships with Reader-class consent. The Microsoft Graph and Azure Resource Manager scopes the product requests are the minimum required to enumerate identities, read role assignments, and read activity logs. No write scope is part of the default consent.

Adding write capability is a deliberate, separate event. The customer must re-consent to any write-scope addition; the existing read-only consent does not silently expand. Every additional scope appears in the consent dialog the customer authorizes.

Zero standing write access

Permafrost never holds a write-capable token to a customer tenant. No service-principal credential in the backing store can change the state of a customer’s Azure environment. Every remediation that touches a customer tenant runs through one of three modes the customer chooses (covered in detail on three-mode remediation):

  • Mode A is a Markdown playbook the customer runs against their own tenant using their own tooling. Permafrost is not a party to the write.
  • Mode B is a downloadable script the customer reviews and runs in their own session with their own credentials. Permafrost is not a party to the write.
  • Mode C will be the in-product action: a session-scoped OAuth grant authorized by the analyst at the moment of execution. The token will live in memory only, expire inside one hour, and be discarded the moment the session ends. Nothing is persisted to the backing store. Mode C is in active security review and available for evaluation under a co-pilot agreement.

The invariant is load-bearing. Every remediation surface in Permafrost is structured so no write can succeed without a fresh, time-limited, customer-authenticated authorization handed to the product at the moment of action.

The operator boundary

Permafrost operators can view a customer’s data through a signed, time-limited, audited support session. Three properties hold whenever that happens.

  • Every read is logged with the operator identity, the customer scope, and the timestamp.
  • Operators have no write capability against a customer’s tenant under any circumstance. The read-only consent constraint applies to operator sessions the same way it applies to ordinary customer sessions.
  • The customer is notified in their dashboard when an operator session is active. The visibility is unconditional — there is no operator-only mode that hides this signal.

Tenant isolation by design

Every dataset Permafrost holds is partitioned by customer. Identities, role assignments, activity-log evidence, findings, UPR scores, and remediation history all sit inside the customer they belong to. No shared join key spans customers.

The isolation is structural, not a policy decision. Permafrost does not aggregate or sample data across customers for training, modeling, or benchmarking. There are no cross-customer comparison features. If Permafrost ever ships a feature that compares one customer to a peer group, it will be opt-in and it will not expose any other customer’s identifiable data. That is a constraint the product holds itself to.

What Permafrost does not store

A short list of items you might assume are held in the backing store but are not.

  • No customer-tenant credentials. No client secrets, no certificates, no refresh tokens that grant standing access to a customer tenant.
  • No Mode C OAuth tokens after session end. When Mode C executes an action, the token will exist in process memory only for the lifetime of that action, then be discarded.
  • No visitor IP addresses in the marketing analytics that power public pages. Do-Not-Track is honored by default.
  • No sign-in logs as a primary surface. Permafrost pulls just enough activity-log data to evidence permission-gap findings. It is not a log retention destination.

Compliance posture

Plain status, with dates instead of silence. Permafrost states what it holds, what is underway, and what is inherited from the infrastructure layer — and never lists a certification it does not hold as held.

Permafrost's own certifications

Attestations of Permafrost's product, processes, and controls.

  • SOC 2 Type 2Permafrost's own audit of its security controls over an observation window. In progress.
    In progressExpected H2 2026
  • ISO 27001Information-security management certification for Permafrost. On the roadmap after SOC 2 Type 2.
    PlannedPlanned
  • ISO 42001AI-management-system certification covering Permafrost's analysis and AI governance. On the roadmap.
    PlannedPlanned

Inherited from the infrastructure provider

Substrate certifications that attest the hosting layer beneath Permafrost, not Permafrost's own controls.

  • SOC 2Attested at the hosting layer by Permafrost's infrastructure provider. Covers the substrate, not Permafrost's own controls.
    InheritedCurrent
  • ISO 27001Inherited from the infrastructure provider's certified hosting platform.
    InheritedCurrent
  • ISO 27018Cloud-PII protection, inherited from the infrastructure provider's certified platform.
    InheritedCurrent

Two controls underpin the table above and are auditable today. The read-only consent baseline and the zero-standing-write invariant are verifiable from your side: the consent scopes are visible in your tenant’s enterprise-app blade, and the no-write claim holds because no write-capable token exists in our backing store. The operator boundary carries a full audit trail.

Expected dates are targets, not guarantees, and the list expands as evidence packs land. For the per-framework narrative — ISO 27001, ISO 42001, and SOC 2 each with its honest status, the compensating controls in place today, and how to request evidence under NDA — see the canonical certification status surface in the Trust Center, the single source of truth for this posture. If your procurement or security-review team needs current status before a longer review, reach us through your account team.