Compliance
Compliance by Architecture
Sensei IQ's compliance posture is grounded in a straightforward principle: because Sensei IQ runs inside your Microsoft 365 tenant on Microsoft Power Platform, it inherits Microsoft's compliance framework directly.
Rather than asking clients to evaluate Sensei as a standalone cloud service with its own certification portfolio, we ask a different question: Does Microsoft's compliance posture satisfy your requirements for this workload? In most enterprise environments, it does — and in many cases, it already has, because your organization is already a Microsoft 365 customer.
What Sensei Inherits from Microsoft
Microsoft Power Platform and Dataverse — the infrastructure on which Sensei IQ operates — are covered by Microsoft's extensive compliance certification portfolio. This includes, but is not limited to:
| Standard / Framework | Coverage |
|---|---|
| SOC 1 Type II | Controls over financial reporting systems |
| SOC 2 Type II | Security, availability, confidentiality, and privacy controls |
| ISO 27001 | Information security management system |
| ISO 27018 | Protection of personal data in public cloud services |
| GDPR | European data protection requirements |
| HIPAA / HITECH | US healthcare data protections (Business Associate Agreement available from Microsoft) |
| FedRAMP | US federal cloud security authorization |
Microsoft publishes its full compliance documentation through the Microsoft Service Trust Portal, where audit reports, certificates, and whitepapers are available for download. Sensei can reference this documentation in vendor reviews on your behalf.
What Your Organization Controls
Because Sensei IQ runs in your tenant, your organization is the data controller. This has significant compliance implications:
- Data residency: Your organization chose the geographic region when provisioning the Power Platform environment. That choice governs where data resides.
- Data retention: Retention policies are configured and enforced through your Microsoft 365 and Dataverse settings — not by Sensei.
- Access governance: Who can access data, under what conditions, and with what audit trail is governed by your Entra ID, Conditional Access, and Dataverse security role configuration.
- Audit logs: Sensei IQ activities are logged in your tenant's Microsoft Purview audit log. Your compliance team can review, export, and retain these logs according to your own policies.
- eDiscovery and legal hold: These capabilities are available through your Microsoft 365 compliance tools and apply to Sensei IQ data stored in Dataverse.
Sensei's Own Compliance Posture
Sensei Project Solutions maintains internal policies and controls governing our own development and operational practices:
- Security Policy — covering access control, asset management, change management, and incident response for our internal systems
- Secure Development Policy — SDL-aligned practices for all code and configuration shipped as part of Sensei IQ
- Password & Secrets Management Standard — enforced use of Azure Key Vault and MFA for all systems
- Dependency Management SOP — regular triage of third-party package vulnerabilities
These policies apply to our internal corporate environment and our development processes — not to client tenant data, which remains under the client's control.
GDPR
Sensei IQ is designed with GDPR principles in mind:
- Data minimization: Sensei IQ collects only the data necessary to deliver its project and portfolio management functions
- Data locality: Data remains in the Power Platform environment region selected by the client — no cross-border transfers to Sensei infrastructure
- Right to erasure / access: Because all data resides in Dataverse within the client's tenant, clients can fulfill data subject requests using their own Dataverse tools and Microsoft Purview features
- Processor vs. controller: Sensei Project Solutions is not a data processor under GDPR for client data — Sensei IQ operates within the client's own environment and Sensei does not receive or process that data on its own infrastructure
For personal data processed as part of Sensei Project Solutions' own operations (employee data, contact information), Sensei complies with applicable data protection obligations.
Using This Information in a Vendor Review
When a compliance or procurement team asks about Sensei IQ's compliance certifications, we recommend framing the evaluation this way:
- Confirm that Power Platform and Dataverse are in scope for your organization's existing Microsoft compliance coverage — in most cases, they are
- Reference Microsoft's compliance documentation via the Service Trust Portal for the specific standards your organization requires
- Review your tenant's configuration to confirm that encryption, retention, and access controls are configured to your standards
- Request Sensei's Security Policy and internal practices documentation if your process requires vendor attestation of software development controls
Sensei is glad to support your vendor security review process. See Security Review FAQ for pre-built answers to the most common questions.