Privacy & Data Handling

Last updated: June 2, 2026

The short version: Your Microsoft 365 security scan runs entirely in your own browser. We are a Microsoft verified publisher, request read-only permissions for the assessment, and we do not store your tenant data or your Microsoft sign-in tokens.

Who we are

LockList Security provides on-demand Microsoft 365 security and compliance assessments. This page explains exactly what data is and isn't handled when you use the assessment at locklistsecurity.com/scan.

How the scan works

You sign in with your own Microsoft 365 account using Microsoft's standard sign-in (MSAL / OAuth). The access token issued by Microsoft stays in your browser's local storage — it is never transmitted to or stored by us. The assessment then reads your tenant's configuration by calling Microsoft Graph directly from your browser. That configuration data is evaluated locally in the page; it is not sent to our servers.

Permissions we request

Assessment (read-only): delegated read permissions such as Directory.Read.All, Policy.Read.All, AuditLog.Read.All, Reports.Read.All, and similar — used only to read your current settings.
Fixes (optional, write): if you choose to apply a remediation, we request the specific write permission for that fix at that moment (incremental consent). Conditional Access fixes are created in report-only mode and are only enforced as a separate, explicit action you take. We never change your tenant without your click.

What touches our servers

Our server (a Cloudflare Worker) is intentionally minimal. It only:

processes payments via Stripe and issues a short-lived download token;
generates a report file (PDF / CSV / JSONL / JSON) when you click download — your results are sent at that moment solely to produce the file, then discarded. They are not stored or logged;
returns non-sensitive configuration (your app client ID, scopes, price).

We operate no database of customer scans. There are no user accounts.

Payments

Payments are handled by Stripe. Your card details are entered into Stripe's secure fields and processed by Stripe — LockList never sees or stores your full card number. We retain no payment instrument data.

Cookies & tracking

We do not use advertising or third-party tracking cookies. Microsoft's sign-in library stores authentication state in your browser's local storage so you don't have to sign in repeatedly; clearing your browser storage removes it.

Data retention

Scan results live only in your browser tab for the duration of your session. Closing or refreshing the page clears them. We keep no copy.

Your control

You can revoke LockList's access at any time from your Microsoft account at myapps.microsoft.com or in the Microsoft Entra admin center under Enterprise applications.

Contact

Questions about privacy or security? Email admin@locklistsecurity.com.