Security Review FAQ
This page is designed for IT security teams, procurement officers, and risk reviewers evaluating Sensei IQ as part of a vendor security review. The questions below reflect the most common inquiries we receive.
If you need a structured document for your review process, you can download our Pre-Filled Vendor Security Questionnaire — a complete Q&A document formatted for vendor security review workflows.
Before reviewing: Sensei IQ is not a traditional SaaS product. It is deployed as a Power Platform solution inside your own Microsoft 365 tenant. Many standard vendor security questions assume a vendor-hosted environment — in Sensei IQ's case, the "environment" is your own. We've structured these answers to reflect that reality clearly.
Company & Product
What is Sensei IQ and how is it deployed?
Sensei IQ is a project and portfolio management solution built on Microsoft Power Platform. It is deployed as a Power Platform solution into your organization's own Dataverse environment. There is no Sensei-hosted service receiving or storing your data — the entire application runs inside your Microsoft 365 tenant.
Who is Sensei Project Solutions?
Sensei Project Solutions is a Microsoft Solutions Partner specializing in project and portfolio management on Microsoft Power Platform. We develop and maintain Sensei IQ and are responsible for the security of the code and configuration we deploy.
Data Storage & Residency
Where is my data stored?
All Sensei IQ data is stored in Microsoft Dataverse within your own Power Platform environment. Your data resides in the geographic region you selected when provisioning your environment. Sensei does not receive copies of your data, and it does not leave your tenant.
Does Sensei have access to my data?
Under normal operating conditions, Sensei Project Solutions has no access to your Dataverse data. Sensei staff access is only possible if your tenant administrators explicitly grant it for a specific purpose (such as implementation support), and it can be revoked at any time.
What is your data retention policy?
Data retention for Sensei IQ is governed by your organization's Microsoft 365 and Dataverse retention policies — not by Sensei. You configure and own data retention within your tenant.
Encryption
How is data encrypted at rest?
All data in Dataverse is encrypted at rest using AES-256 encryption managed by Microsoft. Optionally, your organization can configure customer-managed encryption keys (CMK) through the Power Platform Admin Center.
How is data encrypted in transit?
All data in transit is encrypted using TLS 1.2 or higher, enforced by Microsoft Power Platform. This applies to all communication between users, the Power App, Dataverse, and integrated Microsoft services.
Who manages encryption keys?
By default, encryption keys are managed by Microsoft. Your organization can optionally take ownership of keys through the CMK feature in Power Platform.
Identity & Access
How do users authenticate to Sensei IQ?
Authentication is handled entirely by Microsoft Entra ID (formerly Azure Active Directory) using OAuth 2.0. Sensei IQ has no separate identity store. All of your organization's existing identity policies — MFA, Conditional Access, sign-in restrictions — apply automatically.
Does Sensei IQ support multi-factor authentication (MFA)?
Yes. MFA is enforced through your organization's Entra ID Conditional Access policies. Sensei IQ does not bypass or override your MFA configuration.
How is access controlled within the application?
Authorization is managed through Dataverse security roles, which your administrators assign and manage. Sensei IQ ships with pre-defined roles designed around least-privilege principles. Role management is entirely within your organization's control.
Does Sensei use service principals in our tenant?
Some Sensei IQ components use Azure service principals registered within your tenant for integrations and automated processes. These are:
- Registered in your tenant (visible and manageable in your Entra ID portal)
- Granted only the minimum permissions required
- Audited through your tenant's logs
- Revocable at any time by your administrators
Network Security
What network ports or inbound connections does Sensei IQ require?
Sensei IQ does not require any inbound network connections to Sensei-operated infrastructure. It operates entirely within Microsoft's Power Platform trust boundary using standard M365 HTTPS/TLS connectivity.
Does Sensei IQ expose any APIs or webhooks on the internet?
No. Sensei IQ does not operate internet-exposed endpoints. All communication is outbound from within your tenant to Microsoft services.
Application Security
What security standards does Sensei follow in development?
Sensei follows the Microsoft Security Development Lifecycle (SDL). All code changes require peer-reviewed pull requests. Automated scanning (CredScan, BinSkim, ESLint, CodeQL) runs on every build. See Development Practices for details.
Has Sensei IQ undergone third-party security testing?
Sensei IQ undergoes regular static analysis scanning. Clients who wish to conduct security testing against Sensei IQ in their own environment are welcome to do so — because Sensei IQ runs in your tenant, you can engage a third-party assessor to test your own environment without requiring Sensei's involvement or approval.
Does Sensei use AI in the product or in development?
Sensei IQ does not currently embed AI capabilities in the product itself. Internally, Sensei's development team uses productivity tools including GitHub Copilot and Microsoft 365 Copilot. All AI tool usage in development is governed by Sensei's AI policy, which requires human review of AI-generated code before it is committed.
Compliance & Certifications
Does Sensei have a SOC 2 report?
Sensei Project Solutions does not independently hold a SOC 2 certification. However, because Sensei IQ runs on Microsoft Power Platform and Dataverse, it operates within infrastructure that is covered by Microsoft's SOC 2 Type II certification. Microsoft's compliance reports are available through the Microsoft Service Trust Portal.
What compliance frameworks does Sensei IQ support?
Through Microsoft's platform, Sensei IQ operates within an environment that supports SOC 1/2, ISO 27001, ISO 27018, GDPR, HIPAA/HITECH (with a Microsoft Business Associate Agreement), FedRAMP, and more. The applicable coverage depends on your organization's Microsoft 365 licensing and configuration. See Compliance for more detail.
Is Sensei IQ GDPR compliant?
Sensei IQ is designed with GDPR principles in mind. Your organization is the data controller for Sensei IQ data. Sensei is not a data processor — Sensei IQ operates within your environment and Sensei does not receive your data. GDPR controls (data minimization, retention, right to erasure) are exercised through your Microsoft tenant tools.
Incident Response & Business Continuity
How does Sensei respond to security incidents?
Sensei maintains a documented incident response process covering detection, containment, escalation, assessment, remediation, notification, and post-incident review. For incidents involving client tenant data, the primary response capability lies with the client's own security tools (Microsoft Purview, Defender, Entra ID). See Incident Response for details.
What is Sensei's business continuity and disaster recovery plan?
Sensei maintains quarterly release backups including source code, deployment artifacts, CI/CD pipeline definitions, and release documentation. This enables recovery from build infrastructure failures, repository incidents, or the need to roll back to a known-good release state.
For client data, business continuity and disaster recovery is handled through Microsoft Power Platform's built-in environment backup and point-in-time restore capabilities, which your administrators control.
What is Sensei's uptime SLA?
Sensei IQ's availability is governed by Microsoft's Power Platform service SLAs. Sensei does not operate infrastructure with a separate uptime commitment.
Vendor Risk & Subprocessors
Does Sensei share my data with subprocessors or third parties?
No. Sensei does not receive, store, or share your organizational data. There are no subprocessors that handle client data on Sensei's behalf. Sensei IQ's only external dependencies are Microsoft platform services (Power Platform, Dataverse, Azure) — all of which operate within your own tenant.
What cloud providers does Sensei use?
For Sensei's own internal operations (development, source control, email, corporate systems), Sensei uses Microsoft 365 and GitHub Enterprise. Sensei does not use other cloud providers to deliver Sensei IQ.
Right to Audit & Penetration Testing
Can we audit Sensei IQ?
Because Sensei IQ runs in your own tenant, your organization's auditors have direct access to the relevant logs and controls via Microsoft Purview, Power Platform Admin Center, and Entra ID.
Can we conduct a penetration test?
Because Sensei IQ is installed in your tenant, your organization can engage a third-party assessor to test your own Power Platform environment. This does not require Sensei's involvement — you own the environment. Sensei does not conduct penetration tests against client environments, as each client's security configuration is unique and those tests are most meaningful when scoped to the client's actual environment.
Download
For a printable version formatted for vendor review workflows, download the Sensei IQ Vendor Security Questionnaire (DOCX).