Frequently Asked Questions:

General Security Policies

Q: Does Sensei IQ store customer data?

A: No, Sensei IQ does not host or store customer data. All data remains within the customer’s Microsoft 365 tenant.

Q: What security policies and procedures does Sensei IQ follow?

A: Sensei IQ follows Microsoft's Security Development Lifecycle (SDL) practices and adheres to Microsoft’s built-in security measures for Power Platform applications. More information here.

Q: Does Sensei IQ comply with cybersecurity incident reporting requirements?

A: Sensei IQ does not host customer data, but in the event of a security issue affecting our application, we will communicate with affected parties according to our incident response plan.

Q: Does Sensei IQ encrypt customer data at rest and in transit?

A: Yes, Sensei IQ operates within the Microsoft 365 ecosystem, where data encryption is enforced at all times by Microsoft.

Q: Does Sensei carry cyber liability insurance?

A: Yes, Sensei carries a cyber liability insurance policy. Documentation can be provided upon request.

Q: Does Sensei IQ adhere to cloud security frameworks such as NIST 800-53?

A: Sensei IQ operates entirely within Microsoft’s cloud infrastructure, which aligns with NIST 800-53 and other security compliance frameworks.

Q: Is Sensei IQ classified as a SaaS, PaaS, or IaaS solution?

A: None of the above. Sensei IQ is a solution deployed within the customer's Microsoft 365 tenant. It does not require separate hosting infrastructure.

Q: Has Sensei IQ undergone SOC 2 or HITRUST assessments?

A: Sensei IQ itself has not undergone SOC 2 or HITRUST assessments, but it operates within Microsoft 365, which maintains SOC 2 Type II, ISO 27001, and other industry certifications.

Q: Does Sensei IQ require NDA agreements for customers?

A: Yes, NDA agreements can be signed upon request. Sensei employees comply with confidentiality agreements as part of their employment contracts.

Q: Does Sensei IQ follow access control policies aligned with security frameworks?

A: Yes, Sensei IQ enforces access control policies via Microsoft Entra ID and role-based security within Power Apps. See next section, and more information here.

Access Control & Authentication

Q: How does Sensei IQ manage user authentication?

A: Sensei IQ leverages Microsoft Entra ID for authentication, utilizing OAuth and optional multi-factor authentication (MFA) to ensure secure access control.

Q: Does Sensei IQ enforce role-based access control (RBAC)?

A: Yes, Sensei IQ applies role-based security using Power Apps' built-in role-based access controls (RBAC) scoped to the specific environment.

Q: Does Sensei IQ support SAML 2.0 authentication with Microsoft Entra?

A: Yes, all authentication is handled by Microsoft Entra ID or customer-managed third-party identity solutions.

Q: Does Sensei IQ provide documentation on how access is granted and approved?

A: Yes, any Sensei consultant assigned to a client project would be known and provided credentials by the client to access the customer’s M365 environment.

Security Monitoring & Compliance

Q: Does Sensei IQ perform security monitoring?

A: Microsoft 365 provides extensive security monitoring, including intrusion detection and prevention systems (IPS/IDS). Sensei IQ relies on Microsoft’s security infrastructure for event detection and response.

Q: How does Sensei IQ ensure secure software development?

A: We employ multiple peer code reviews and regular OWASP reviews to ensure security best practices are followed. More information here.

Q: Has Sensei IQ obtained security compliance certifications such as ISO 27001 or SOC 2?

A: Sensei IQ itself does not hold these certifications, but Microsoft 365 services, where Sensei IQ operates, maintain compliance with ISO 27001, SOC 2, and other industry standards.

Q: Why doesn't Sensei IQ have these types of certifcations and reports?

A: Sensei IQ does not require a SOC 2 Type 2 report because it operates entirely within your organization’s own Microsoft 365 tenant—not in an environment hosted or managed by Sensei.

When you deploy Sensei IQ, all data remains within your own Microsoft Power Platform environment (Dataverse), secured by your organization’s tenant settings and Microsoft’s industry-leading infrastructure. Sensei does not store, process, or transmit your data outside your Microsoft 365 environment.

While Sensei consultants may be granted access to your environment for implementation, configuration, or support purposes, that access is fully controlled by your organization. We only work within the boundaries and permissions you explicitly assign.

Because:

You retain full control over your data, identities, and environment

• The application is installed directly in your tenant
• Sensei only accesses environments when authorized by your team
• And the underlying platform (Microsoft Power Platform and Microsoft 365) is already covered by Microsoft’s compliance certifications, including SOC 2, ISO 27001, and FedRAMP

  
  … a separate SOC 2 Type 2 report from Sensei is not applicable.

Instead, customers can rely on Microsoft’s verified compliance coverage—available via the Microsoft Service Trust Portal — and their own internal governance over their tenant. Clients can download SOC 2 Type 2 Reports from Microsoft and related documents here: https://servicetrust.microsoft.com/viewpage/SOC

Q: Can Sensei IQ restrict the geographical location of data storage?

A: Microsoft handles all physical storage of customer data. Customers can configure data residency settings through Microsoft compliance controls.

Q: How does Sensei IQ separate customer data?

A: Microsoft partitions customer data within its datacenters. Sensei IQ does not store or process customer data outside of the customer’s M365 tenant.

Incident Response & Risk Management

Q: What is the Sensei approach to cybersecurity incidents?

A: Sensei IQ follows an incident response plan aligned with Microsoft’s best practices. If an issue arises, we follow these steps:

1. Detect and report the incident.
   
2. Contain the issue to prevent escalation.
   
3. Assess the impact and notify stakeholders.
   
4. Take corrective action to mitigate risk.
   
5. Review and improve our security processes.
   

More information here.

Q: How does Sensei IQ handle data backups and disaster recovery?

A: These services are provided by Microsoft for M365 data. Sensei does not store or process customer data. Microsoft provides more information here.

Q: What happens to customer data if they discontinue use of Sensei IQ?

A: All customer data remains in the customer’s M365 tenant. If a client discontinues use, they retain full control over their data.

Operational and Compliance Procedures

Q: Does Sensei IQ provide tenants with ongoing SLA performance reporting?

A: Microsoft operates Sensei IQ within the customer’s M365 environment with a service-level agreement (SLA) of ≥99.9% availability.

Q: Does Sensei IQ provide documentation on change management procedures?

A: Yes, the comprehensive Security Policy is accessible here.

Q: How does Sensei IQ handle personnel access to IT infrastructure?

A: Sensei maintains records of all personnel with access to IT infrastructure, including access levels and certifications.

Q: Does Sensei IQ require periodic certification of entitlements for system users and administrators?

A: Yes, all administrative access is reviewed, and background checks are conducted for all employees at time of hire.

For further information, please contact Sensei Support or refer to Microsoft’s security documentation:

• Microsoft Power Platform Security FAQs
• Microsoft Power Platform Security