Frequently Asked Questions:
General Security Policies
Q: Does Sensei IQ store customer data?
A: No, Sensei IQ does not host or store customer data. All data remains within the customer’s Microsoft 365 tenant.
Q: What security policies and procedures does Sensei IQ follow?
A: Sensei IQ follows Microsoft's Security Development Lifecycle (SDL) practices and adheres to Microsoft’s built-in security measures for Power Platform applications. More information here.
Q: Does Sensei IQ comply with cybersecurity incident reporting requirements?
A: Sensei IQ does not host customer data, but in the event of a security issue affecting our application, we will communicate with affected parties according to our incident response plan.
Q: Does Sensei IQ encrypt customer data at rest and in transit?
A: Yes, Sensei IQ operates within the Microsoft 365 ecosystem, where data encryption is enforced at all times by Microsoft.
Q: Does Sensei carry cyber liability insurance?
A: Yes, Sensei carries a cyber liability insurance policy. Documentation can be provided upon request.
Q: Does Sensei IQ adhere to cloud security frameworks such as NIST 800-53?
A: Sensei IQ operates entirely within Microsoft’s cloud infrastructure, which aligns with NIST 800-53 and other security compliance frameworks.
Q: Is Sensei IQ classified as a SaaS, PaaS, or IaaS solution?
A: None of the above. Sensei IQ is a solution deployed within the customer's Microsoft 365 tenant. It does not require separate hosting infrastructure.
Q: Has Sensei IQ undergone SOC 2 or HITRUST assessments?
A: Sensei IQ itself has not undergone SOC 2 or HITRUST assessments, but it operates within Microsoft 365, which maintains SOC 2 Type II, ISO 27001, and other industry certifications.
Q: Does Sensei IQ require NDA agreements for customers?
A: Yes, NDA agreements can be signed upon request. Sensei employees comply with confidentiality agreements as part of their employment contracts.
Q: Does Sensei IQ follow access control policies aligned with security frameworks?
A: Yes, Sensei IQ enforces access control policies via Microsoft Entra ID and role-based security within Power Apps. See next section, and more information here.
Access Control & Authentication
Q: How does Sensei IQ manage user authentication?
A: Sensei IQ leverages Microsoft Entra ID for authentication, utilizing OAuth and optional multi-factor authentication (MFA) to ensure secure access control.
Q: Does Sensei IQ enforce role-based access control (RBAC)?
A: Yes, Sensei IQ applies role-based security using Power Apps' built-in role-based access controls (RBAC) scoped to the specific environment.
Q: Does Sensei IQ support SAML 2.0 authentication with Microsoft Entra?
A: Yes, all authentication is handled by Microsoft Entra ID or customer-managed third-party identity solutions.
Q: Does Sensei IQ provide documentation on how access is granted and approved?
A: Yes, any Sensei consultant assigned to a client project would be known and provided credentials by the client to access the customer’s M365 environment.
Security Monitoring & Compliance
Q: Does Sensei IQ perform security monitoring?
A: Microsoft 365 provides extensive security monitoring, including intrusion detection and prevention systems (IPS/IDS). Sensei IQ relies on Microsoft’s security infrastructure for event detection and response.
Q: How does Sensei IQ ensure secure software development?
A: We employ multiple peer code reviews and regular OWASP reviews to ensure security best practices are followed. More information here.
Q: Has Sensei IQ obtained security compliance certifications such as ISO 27001 or SOC 2?
A: Sensei IQ itself does not hold these certifications, but Microsoft 365 services, where Sensei IQ operates, maintain compliance with ISO 27001, SOC 2, and other industry standards.
Q: Can Sensei IQ restrict the geographical location of data storage?
A: Microsoft handles all physical storage of customer data. Customers can configure data residency settings through Microsoft compliance controls.
Q: How does Sensei IQ separate customer data?
A: Microsoft partitions customer data within its datacenters. Sensei IQ does not store or process customer data outside of the customer’s M365 tenant.
Incident Response & Risk Management
Q: What is the Sensei approach to cybersecurity incidents?
A: Sensei IQ follows an incident response plan aligned with Microsoft’s best practices. If an issue arises, we follow these steps:
- Detect and report the incident.
- Contain the issue to prevent escalation.
- Assess the impact and notify stakeholders.
- Take corrective action to mitigate risk.
- Review and improve our security processes.
Q: How does Sensei IQ handle data backups and disaster recovery?
A: These services are provided by Microsoft for M365 data. Sensei does not store or process customer data. Microsoft provides more information here.
Q: What happens to customer data if they discontinue use of Sensei IQ?
A: All customer data remains in the customer’s M365 tenant. If a client discontinues use, they retain full control over their data.
Operational and Compliance Procedures
Q: Does Sensei IQ provide tenants with ongoing SLA performance reporting?
A: Microsoft operates Sensei IQ within the customer’s M365 environment with a service-level agreement (SLA) of ≥99.9% availability.
Q: Does Sensei IQ provide documentation on change management procedures?
A: Yes, the comprehensive Security Policy is accessible here.
Q: How does Sensei IQ handle personnel access to IT infrastructure?
A: Sensei maintains records of all personnel with access to IT infrastructure, including access levels and certifications.
Q: Does Sensei IQ require periodic certification of entitlements for system users and administrators?
A: Yes, all administrative access is reviewed, and background checks are conducted for all employees at time of hire.
For further information, please contact Sensei Support or refer to Microsoft’s security documentation: