Security Statement
This Security Statement describes the technical and organisational measures LataSys Limited has in place to protect customer data processed by M365 Quarantine. It supports the security commitments set out in the Data Processing Agreement and answers Microsoft 365 Publisher Attestation questions across data handling, security, and compliance.
Effective 2 July 2026 · LataSys Limited (UK Co. No. 17261093)
1. Where data is processed
M365 Quarantine runs on Microsoft Azure in the UK South region. Primary processing of Customer Data — including the Postgres database, App Service application instances, the Container App running the Exchange Online worker, and Application Insights telemetry — takes place inside Azure UK South. Limited operational and support data may be processed by Microsoft and our other sub-processors outside the UK; see the sub-processor table.
2. Encryption
- In transit: TLS 1.2+ enforced for all client connections, all API calls between our components, and all calls to Microsoft Graph / Exchange Online. Strict-Transport-Security headers set.
- At rest: Postgres storage encryption is provided by Azure Database for PostgreSQL Flexible Server (Microsoft-managed keys). Application secrets are stored in Azure Key Vault.
- Tokens: bearer tokens are stored in browser localStorage only and are scoped to the API audience. No long-lived secrets are stored on customer devices.
3. Identity and access
- Customer admins and end users authenticate via their organisation's Microsoft Entra ID. We do not run our own password database.
- Server-side authorisation enforces tenant isolation on every authenticated request. A user can only ever see quarantine items for their own mailbox, regardless of any client-side manipulation.
- Internal access by LataSys Limited staff is gated by Entra ID app roles (TenantAdmin, VendorAdmin, SupportAdmin) and is least-privilege.
- All administrative actions are recorded in the audit log.
4. Audit logging
Every authenticated request and every state-changing administrative action is recorded in an append-only audit log with timestamp, correlation id, actor identity, action, result, and where applicable the target identifier. Customer admins can view their tenant's audit log in the portal. The manufacturer audit search covers cross-tenant events. Audit records are retained per the Privacy Notice.
5. Vulnerability management
- Application dependencies are scanned during CI; GitHub Dependabot watches the npm graph.
- Container images are rebuilt from current base images on each deployment.
- OS patching for the underlying App Service / Container Apps is handled by Microsoft Azure on the platform-as-a-service surface.
- Application secrets rotate via Azure Key Vault references.
6. Availability and resilience
The platform runs on Azure App Service (API + admin portal) and Azure
Container Apps (Exchange Online worker), backed by Azure Database for
PostgreSQL Flexible Server. Synthetic availability probes from five
Azure regions hit /health every five minutes. Critical-
severity alerts route to an Action Group via Azure Monitor. Detailed
service targets are in our Service Level
Agreement.
7. Incident response
LataSys Limited will notify the Customer of any personal-data breach affecting Customer Data without undue delay and, where feasible, within 72 hours of becoming aware. Notification includes the information required by UK GDPR Art 33(3) to the extent then known. For non-data-protection incidents (e.g. service outages), customer admins are notified through the portal Alerts page and the registered administrator email.
8. Personnel
LataSys Limited staff with access to Customer Data are subject to a binding duty of confidentiality. Background-check level and training cadence are reviewed annually.
9. Microsoft 365 App Publisher Attestation
LataSys Limited has completed (or is in the process of completing) the Microsoft 365 Publisher Attestation across the four scope areas: Data Handling, Security, Compliance, and Legal. The completed attestation is published on the Microsoft 365 app's Marketplace listing. Microsoft 365 App Certification (the deeper assessment against the Certification Specification) is on the roadmap.
10. Compliance with applicable law
LataSys Limited is registered with the UK Information Commissioner's Office and complies with the UK GDPR and the Data Protection Act 2018. Where the Customer is established in the EEA, we comply with EU GDPR via the equivalent terms in our DPA. We do not knowingly process special category data (UK GDPR Art 9); customers must not configure or use the service for processing such data.
11. Reporting a security issue
Suspected vulnerabilities can be reported to security [at] latasys [dot] com — we acknowledge reports within two business days and provide a substantive response within ten business days.