Security & Trust

At Sensei Project Solutions, security and trust are foundational to everything we build. As a longstanding Microsoft partner, we align our policies and architecture with the Microsoft Trusted Cloud principles: Security, Privacy, Compliance, and Transparency.
These articles outline the policies, practices, and technical measures Sensei employs to protect customer data, maintain regulatory compliance, and uphold the highest standards of software security in the development and delivery of Sensei IQ, our modern project and portfolio management solution built on Microsoft Power Platform.

Responsibility

Sensei IQ is developed using Microsoft Power Apps and Microsoft Dataverse, both of which operate within the Microsoft 365 ecosystem. This environment provides enterprise-grade security, compliance, and resiliency by default. While Microsoft secures the cloud infrastructure and platform services (such as identity, networking, physical hardware, and platform compliance), Sensei is responsible for:

  • Developing secure, compliant custom solutions on top of Microsoft Power Platform
  • Securing custom components (such as Power Apps Component Framework controls)
  • Ensuring secure coding practices across the entire development lifecycle

Customers retain control over their own Microsoft 365 environments, including user accounts, authentication settings (such as MFA), and the lifecycle of any service principals authorized to integrate with Sensei IQ.

Identity as the Security Perimeter

Modern cloud security requires a shift from perimeter-based models to identity-centric controls. Sensei IQ embraces this model fully:

  • Authentication is handled through Microsoft Entra ID (formerly Azure Active Directory), using OAuth protocols
  • Support for MFA is built-in through Microsoft identity policies
  • Authorization is managed through Dataverse security roles scoped to the Power Platform environment
  • Service principal access can be revoked at any time by customers, ensuring full control over trust relationships

Customer administrators maintain control of credentials, permissions, and app-level access. At no time does Sensei assume control over customer-managed identities.

Secure Code Policy

The Sensei development team adheres to Microsoft’s Security Development Lifecycle (SDL), embedding security into every phase of the software lifecycle. Key practices include:

  • Threat modeling and risk analysis during design
  • Input validation, output encoding, and use of parameterized queries to prevent injection attacks
  • XSS and CSRF protection using Power Platform's built-in features
  • Security-focused code reviews for all new features and changes
  • Static analysis and credential scanning using Azure DevOps tools like CredScan, ESLint, and BinSkim

Our developers receive regular training on OWASP Top Ten vulnerabilities and other secure coding standards to stay ahead of emerging threats. More detail on our secure development policy can be found here.

Data Protection and Privacy

Sensei is committed to the highest standards of data privacy. While Sensei IQ runs within the client Microsoft 365 tenant and uses Dataverse for storage, we also take care to minimize and protect any data accessed during integrations or support activities. Key principles include:

  • Never disclosing confidential information without explicit approval.
  • Ensuring access to data is restricted to authorized personnel only.
  • Exercising caution and limiting disclosure to a ‘need-to-know’ basis.
  • Disabling access for former employees and revoking credentials.

We comply with data handling principles required under major global regulations, including:

  • GDPR (General Data Protection Regulation).
  • Microsoft data processing terms and commitments.

Additional considerations regarding client data can be found here.

GDPR and Global Compliance

Sensei IQ has been designed with compliance in mind. We align our processes and product architecture with the requirements of GDPR, even for customers located outside of the EU. We follow best practices for:

  • Data minimization: Collecting only the data needed for a specific function.
  • Lawful processing: Performing data access only for legitimate, customer-approved activities.
  • Right to erasure and access: Ensuring data can be deleted or reviewed as requested by the client.

Our development team regularly reviews Microsoft’s updates on compliance obligations and product changes related to regional data regulations.

Transparency and Customer Trust

Transparency is essential to our approach. We openly share our security policies, updates, and practices with customers. Key efforts include:

  • Security Overview (this document)
  • Trust communications via Microsoft 365 Message Center notifications (where relevant to Sensei IQ dependencies)
  • Security Policy
  • FAQ
  • Other Policies

These artifacts serve as the Trust Center for Sensei Project Solutions to centralize key resources, FAQs, policy updates, and compliance information for Sensei IQ customers.

Hosting and Architecture

Unlike legacy solutions that relied on custom Azure services, Sensei IQ is now built directly on Microsoft Power Platform using:

  • Dataverse as the secure, managed database.
  • Model-driven and Canvas Power Apps for user experiences.
  • Power Automate for secure process orchestration.
  • Azure DevOps for CI/CD with integrated security tooling.

By building within Microsoft’s secure cloud, Sensei IQ inherits the same protections Microsoft applies to its own services.

Credential and Access Management

For integrations, updates, and deployments, Sensei uses registered Azure service principals within each customer’s tenant (with approval).

  • Service principals are registered with least privilege permissions.
  • Secrets are securely stored and never transmitted outside Product Development Security Perimeters and Azure Key Vault.
  • Access can be revoked at any time by the customer.

All access is logged and periodically reviewed.

Commitment to Ongoing Security

Sensei is committed to a culture of continuous security improvement:

  • Regular training on security risks and coding practices.
  • DevSecOps integration throughout our development pipeline.
  • Periodic security audits and code reviews.
  • Encouragement for our team to obtain security certifications.

We actively follow updates to Microsoft SDL, OWASP Top Ten, and Microsoft 365 roadmap changes that impact data security or compliance.

Thank you for your partnership

Security is not a checkbox — it is a continuous, evolving responsibility. At Sensei, we recognize that trust is earned and maintained through transparency, accountability, and a shared responsibility model with our customers.
Sensei IQ is built to be secure by design, continuously monitored, and aligned with Microsoft’s world-class cloud infrastructure. Our team is dedicated to protecting your data, supporting your compliance needs, and delivering a trusted, resilient platform for modern project and portfolio management.