Skip to main content

Architecture

A Different Kind of Deployment

Most software-as-a-service products run in a vendor's own cloud infrastructure. Your data travels to the vendor's servers, where it is stored, processed, and managed under their security controls. You must trust the vendor to get that right.

Sensei IQ works differently. It is installed directly inside your Microsoft 365 tenant as a Power Platform solution. There is no Sensei-operated cloud service receiving your data. There is no separate Sensei database storing your project information. Your data never crosses a boundary into Sensei's environment.

This is a deliberate architectural choice — and it fundamentally changes how security questions should be evaluated.

The Tenant-Installed Model

When your organization installs Sensei IQ, the following happens entirely within your environment:

  • A Power Platform solution is imported into your Dataverse environment
  • A model-driven Power App is registered within your tenant's App registrations
  • All Dataverse tables, security roles, and business logic are provisioned in your environment
  • Power Automate flows run under service principal accounts registered in your tenant
  • Power BI reports are embedded within Power Apps and query your Dataverse data directly

Sensei does not operate any of these components from our infrastructure. We deploy code into your tenant; after that, everything runs inside your environment, under your governance.

Solution Architecture

Your Users (Browser / Teams)


  Power Apps (Sensei IQ)
  ┌─────────────────────┐
  │  Model-Driven App   │
  │  Canvas Apps        │
  │  PCF Components     │
  └────────┬────────────┘


     Microsoft Dataverse
  ┌─────────────────────┐
  │  Tables & Data      │
  │  Security Roles     │
  │  Business Rules     │
  │  Plugin Assemblies  │
  └────────┬────────────┘

    ┌──────┴──────┐
    ▼             ▼
Power Automate  Power BI
(Automation)    (Analytics)
    │             │
    └──────┬──────┘

  Microsoft Graph / Teams /
  SharePoint / External Systems

Every layer of this stack is Microsoft-managed infrastructure operating inside your tenant boundary.

Identity as the Security Perimeter

Modern cloud security has moved away from network-perimeter models. Sensei IQ is built fully around this principle: Microsoft Entra ID (formerly Azure Active Directory) is the security perimeter.

  • All access to Sensei IQ requires a valid Entra ID authentication
  • OAuth 2.0 tokens issued by your tenant's identity platform govern every interaction
  • No one — including Sensei staff — can access Sensei IQ data without a user account or service principal that your organization has explicitly authorized
  • Your tenant's Conditional Access policies, MFA requirements, and sign-in controls apply automatically

Because identity is the perimeter, your organization's existing identity governance directly protects Sensei IQ. There is nothing separate for Sensei to configure on your behalf.

Network & Transport Security

Sensei IQ has no internet-facing endpoints operated by Sensei. All communication flows within Microsoft's platform:

  • In transit: All traffic is encrypted using TLS 1.2 or higher, enforced by Microsoft's platform
  • At rest: Data is encrypted using Microsoft-managed keys within Dataverse
  • No inbound exposure: Sensei IQ does not expose APIs or webhooks that accept inbound connections from the internet
  • Microsoft trust boundary: All components operate within the same trust boundary as your other Microsoft 365 services

This means Sensei IQ inherits the same network security posture Microsoft applies to Power Platform, Teams, SharePoint, and the rest of your M365 environment.

What Sensei Manages

Sensei is responsible for the code and configuration it deploys into your tenant:

  • The security and correctness of Power Platform solution components (Power Apps, Dataflows, plugins, PCF controls)
  • Secure coding practices and vulnerability management across our development pipeline
  • The design of Dataverse security roles and least-privilege data access patterns within the app
  • Securing our own development and deployment infrastructure (Azure DevOps, GitHub Enterprise, developer workstations)

We do not manage, configure, or have visibility into your tenant's broader security settings unless you explicitly grant and authorize access for support purposes.

What This Means for Security Reviews

Because Sensei IQ runs inside your tenant, many standard SaaS security questions require a different answer than vendors operating their own infrastructure would give:

  • Data storage: Your Dataverse environment, in your region, in your tenant
  • Access controls: Your Entra ID, your security roles, your Conditional Access policies
  • Encryption keys: Microsoft-managed, within your tenant's Dataverse environment
  • Audit logs: Available through Microsoft Purview and Power Platform Admin Center — accessible to your administrators
  • Compliance certifications: Microsoft's certifications for Power Platform and Dataverse apply directly

For a structured overview of how responsibilities are divided, see Shared Responsibility.