Your data, your control.
Every detail, right here.
This page is for your security team, your compliance officer, or any examiner who wants to verify exactly what sEyeber Hub reads from your Microsoft environment, how it is protected, what is stored, and how you take it all back. No jargon. No surprises.
Six categories — all read-only, all optional except one.
sEyeber Hub reads your Microsoft security configuration across six plain-language categories. Your Microsoft Global Administrator approves access before any scan begins. All six are on by default; you can turn off any of the optional five before approving. The first category — confirming which organization we're connected to — is required and cannot be turned off.
We confirm which organization we're connected to, which Microsoft licenses are active, and who holds administrator roles — including whether those accounts are permanently assigned or only activated when needed.
We read user accounts, which second-factor methods each person uses (type only — never the phone number or code behind it), and any accounts Microsoft has flagged as risky. We read method types, never credentials.
We read which third-party applications your users have connected to Microsoft 365 and what each one is permitted to access. This is where unauthorized AI tools typically appear.
We read your Conditional Access rules — who can sign in, from where, and under what conditions. These policies are the front line of access control and the place where small gaps become large exposures.
We read your device inventory — which laptops and phones are enrolled, whether they're encrypted and compliant, and which apps are deployed to them. We read compliance state, not device contents.
We read what Microsoft already flags — active alerts, incidents, your Secure Score trend, sensitivity label coverage, and which SharePoint sites are configured for broad sharing. We read site inventory, never document contents.
What happens between Microsoft and your report.
From the moment data leaves your Microsoft environment, it is protected at every step before it reaches your report. Here is exactly what happens.
Your data, kept only as long as it serves you.
sEyeber Hub stores only what is needed to deliver your reports, findings, and compliance record. We do not retain raw evidence indefinitely. Here is exactly what is kept, and for how long.
Your data lives in your own private, encrypted vault — entirely separate from every other firm. Your scan data is not pooled, not shared, and not accessible to any other customer of sEyeber Hub.
Your encryption keys are held in Microsoft Azure Key Vault — a Microsoft-managed service outside our application layer. A breach of sEyeber Hub's systems alone cannot decrypt your stored data.
AI that works for you — and only you.
sEyeber Hub uses AI to generate findings, narrative summaries, and recommended next steps. Every AI operation is scoped to your organization only.
Your scan data is never used to train shared AI models. It does not become context for another firm's analysis. It does not leave your organizational boundary during AI processing.
This design follows the NIST AI Risk Management Framework — the federal standard for responsible AI governance — which is built into our product architecture, not layered on afterward.
Disconnect anytime. No call. No ticket. No waiting.
You do not need sEyeber Hub's involvement to revoke our access. Two paths, both immediate, both entirely in your hands.
Go to Settings → Microsoft Connection → Disconnect. Access is revoked immediately. New scans stop at once.
Remove the sEyeber Hub enterprise application from your Microsoft Entra admin center. This works completely independently of us — you do not need to log into sEyeber Hub at all.
Ready to see what's in your environment?
Read-only. Encrypted. In your hands from day one. No surprises — just the facts your firm needs to stay ahead of the next exam.
Questions? Email security@seyeberhub.com — our team reviews every message.Diligence questions
What security and compliance teams ask us most
For the full list, see the FAQ. For the emotional trust overview, see Trust & Security.
Who has to approve the Microsoft connection?
A Microsoft Global Administrator or Privileged Role Administrator must approve the connection on behalf of your organization. Microsoft shows its own approval screen listing every permission before your admin approves. sEyeber Hub cannot bypass or pre-approve this step.
Can we approve only some of the six categories and not others?
Yes. Before your admin approves, each of the five optional categories can be individually turned off. The first category — confirming your organization identity and license state — is required and cannot be turned off, because it is how we verify which organization we are connected to. Any category you exclude will be marked "Excluded by you" in your report rather than silently omitted.
Does sEyeber Hub have access to SharePoint files?
The Microsoft permission we use for SharePoint is technically capable of reading file contents — but sEyeber Hub does not use that capability. We read only your site inventory and sharing settings (which sites exist, how they are configured for sharing). We do not read, access, or store the contents of any SharePoint document. This is enforced by our field allow-list and verified by automated tests on every release.
What happens to our data if we cancel our subscription?
Your findings, scores, and compliance documentation are available to export at any time. After cancellation, your data is retained per the applicable retention schedule (minimum 5 years to meet SEC Rule 204-2), then removed. Nothing is deleted ahead of schedule without your explicit instruction.