Skip to content
Security & Trust

Security Practices

Polaris's clients trust us with access to their Microsoft 365 environments — some of the most sensitive data in existence. We take that trust seriously. This page documents how we protect client data, the security standards we hold ourselves to, our certification roadmap, and how to report a security concern.

Last reviewed: February 2026Contact: security@polarisgovernance.com

SOC 2 Type II Commitment

Polaris is actively pursuing SOC 2 Type II certification with an independent licensed CPA firm. The audit covers the Security, Availability, and Confidentiality trust service criteria — the three criteria most relevant to enterprise clients evaluating Governance Hub 365 as a vendor. The observation period begins Q2 2026 and the report is expected Q4 2026.

We understand that SOC 2 Type II is a binary requirement for many Fortune 500 procurement processes. While our audit is in progress, we provide the following to qualified prospective clients: (a) our current security controls documentation, (b) a security questionnaire responses package (CAIQ-Lite format), and (c) virtual security review sessions with our CTO. Contact security@polarisgovernance.com to request these materials.

Certifications and Compliance

Current certification status and our roadmap to full enterprise certification coverage.

In ProgressSOC 2 Type II

Polaris has engaged a licensed CPA firm to conduct a SOC 2 Type II audit covering the Security, Availability, and Confidentiality trust service criteria. The audit observation period begins Q2 2026 with the report expected Q4 2026.

Target completion: Q4 2026

PlannedISO 27001:2022

Following SOC 2 Type II completion, Polaris will pursue ISO 27001:2022 certification to address international client requirements, particularly for European clients subject to GDPR and multinational enterprise buyers.

Target completion: Q2 2027

ActiveMicrosoft Azure Infrastructure Compliance

All Polaris production infrastructure runs on Microsoft Azure, which maintains SOC 2 Type II, ISO 27001, ISO 27018, ISO 27701, FedRAMP High, PCI DSS, and HIPAA BAA coverage. Polaris inherits these infrastructure-level certifications as an Azure customer.

ActiveMicrosoft Partner Network

Polaris is an active Microsoft Partner with Gold Productivity competency, requiring demonstrated customer success and technical skill in Microsoft 365 governance and security solutions.

ActiveGDPR Data Processing Compliance

Polaris maintains a Data Processing Agreement (DPA) for clients whose use of the Services involves processing of personal data subject to GDPR. The DPA incorporates Standard Contractual Clauses (SCCs) for international data transfers.

ActiveHIPAA Business Associate Agreement

For healthcare clients subject to HIPAA, Polaris executes a Business Associate Agreement (BAA) prior to any access to environments that may contain Protected Health Information. Microsoft Azure's HIPAA BAA covers the underlying infrastructure.

Security Controls

Detailed security controls organized by domain. Enterprise prospects may request our full CAIQ-Lite security questionnaire responses for use in vendor qualification processes.

Data Encryption

  • All data in transit encrypted with TLS 1.2 or higher — TLS 1.3 enforced where supported
  • All data at rest encrypted using AES-256 encryption via Azure Storage Service Encryption
  • Database encryption using Azure Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault
  • End-to-end encryption for all API communications between Governance Hub 365 components
  • Key management using Azure Key Vault with Hardware Security Module (HSM) backing
  • TLS certificate management with automated renewal — minimum RSA-2048 or ECDSA P-256

Identity and Access Controls

  • Authentication via Microsoft Entra ID — no custom credential stores
  • Multi-factor authentication (MFA) enforced for all Polaris staff and required for all client platform users
  • Conditional Access policies enforcing compliant device and location requirements for sensitive operations
  • Privileged Identity Management (PIM) for just-in-time elevation to administrative roles
  • Role-Based Access Control (RBAC) implementing least-privilege across all platform components
  • Quarterly access reviews for all staff and system accounts with automatic deprovisioning on departure
  • Segregation of duties for production environment access — separate engineering and operations roles
  • All service-to-service authentication uses managed identities — no stored credentials

Client Tenant Data Handling

  • Microsoft 365 tenant data accessed only via Microsoft Graph API with minimum necessary permissions
  • Required Graph API permissions documented for each service feature — no excess permission grants
  • Client tenant data isolated per-tenant — no cross-tenant data commingling in any storage layer
  • Governance Hub 365 does not access individual user email content, file content, or message content without explicit written authorization
  • Tenant metadata and analytics data stored in Azure SQL with tenant-scoped row-level security
  • Client data export available at any time through the platform — data portability guaranteed
  • Data retention: client tenant data deleted 90 days after subscription termination; immediately upon request
  • Data residency: all production data stored in US Azure regions; EU clients can request EU data residency

Infrastructure Security

  • All infrastructure hosted on Microsoft Azure — SOC 2 Type II, ISO 27001, FedRAMP High certified
  • Network security enforced via Azure Virtual Network with private endpoints for all data-plane services
  • No public network access to Azure SQL, Key Vault, or Storage — all traffic through private endpoints
  • Web Application Firewall (WAF) via Azure Front Door on all public-facing endpoints
  • DDoS Protection Standard enabled on production Virtual Networks
  • Vulnerability scanning performed weekly on all infrastructure using Azure Defender for Cloud
  • Container and dependency scanning integrated into CI/CD pipeline — builds fail on Critical/High CVEs
  • Infrastructure defined as code (Bicep) — no manual console configuration, all changes audited

Secure Development

  • Secure development lifecycle (SDL) with security review gates at design, code review, and deployment
  • Static application security testing (SAST) integrated into every pull request via GitHub Advanced Security
  • Dependency vulnerability scanning using Dependabot — automated patching for non-breaking updates
  • All code changes require peer review by a second engineer before merge to main branch
  • Branch protection on main — direct pushes prohibited; signed commits required
  • Secrets detection scanning on every commit — AWS, Azure, and GitHub credential patterns blocked
  • API authentication tested as part of every CI/CD pipeline run
  • Penetration testing conducted annually by independent security firm

Monitoring and Audit Logging

  • Comprehensive audit logging for all platform actions including authentication, data access, configuration changes, and administrative operations
  • Audit logs immutable and retained for 90 days online, 12 months in cold storage, 7 years in archive
  • Security Information and Event Management (SIEM) via Microsoft Sentinel with 24/7 alert monitoring
  • Anomaly detection on authentication patterns — alerting on impossible travel, unusual access times, and bulk data operations
  • Azure Monitor alerts on all critical infrastructure metrics with automated incident creation
  • All staff security alerts triaged within 4 hours; critical incidents escalated immediately

Organizational Security

  • Background verification for all employees with access to production systems or client data
  • Security awareness training for all staff at onboarding and annually thereafter
  • Role-specific security training for engineers, administrators, and client-facing staff
  • Documented information security policy reviewed and updated annually
  • Vendor and subprocessor security review for all third-party services with access to client data
  • Business continuity and disaster recovery plan tested bi-annually
  • Security incidents documented in a formal incident register with root cause analysis

Incident Response

Polaris maintains a documented incident response program aligned to NIST SP 800-61 and the SOC 2 Availability trust service criteria.

Preparation

Incident response plan maintained and tested bi-annually. On-call rotation for security incidents. Runbooks for 12 most likely incident types.

Detection

Automated alerting via Microsoft Sentinel SIEM. Anomaly detection on authentication, API access, and data operations. 24/7 alert monitoring.

Containment & Eradication

Automated isolation capabilities for compromised accounts. Manual escalation protocols for infrastructure incidents. 4-hour SLA for initial triage of security incidents.

Notification

Client notification within 72 hours of confirmed security incident affecting client data — compliant with GDPR Article 33 and typical enterprise notification requirements.

Incident Notification SLAs

4 hrs
Initial triage and severity classification for all security incidents
24 hrs
Client notification for confirmed incidents potentially affecting client data
72 hrs
Regulatory notification (GDPR, state breach laws) for qualifying incidents

Responsible Disclosure

Polaris welcomes security research and responsible disclosure from the security community. If you believe you have discovered a security vulnerability in the Governance Hub 365 platform or polarisgovernance.com, please follow the responsible disclosure process below.

Disclosure Process

  1. 1
    Report: Email security@polarisgovernance.com with a detailed description of the vulnerability, including steps to reproduce, potential impact, and any supporting evidence. PGP encryption is available on request.
  2. 2
    Acknowledgment: We will acknowledge receipt within 2 business days and provide an initial severity assessment within 5 business days.
  3. 3
    Investigation: We will investigate the reported vulnerability and work to reproduce it in our environment. We will keep you informed of progress.
  4. 4
    Remediation: Critical and High severity issues are remediated within 30 days. We will notify you when the fix is deployed.
  5. 5
    Disclosure Coordination: We request 90 days to remediate before public disclosure. We will coordinate public disclosure timing with you and credit you for the discovery if desired.

Safe Harbor

Polaris will not pursue legal action against security researchers who comply with this responsible disclosure policy, provided that the research does not involve accessing or modifying client data, does not disrupt production services, and follows coordinated disclosure with Polaris. We appreciate and value the security research community.

Out of Scope

  • Social engineering attacks against Polaris employees or clients
  • Physical security testing of Polaris offices or data center facilities
  • Volumetric denial of service attacks
  • Vulnerabilities in third-party services used by Polaris (report to the third party directly)
  • Issues requiring physical access to end-user devices
  • Findings from automated scanner output without manual validation

Enterprise Security Review

Qualified enterprise prospects can request a virtual security review session with Polaris's CTO, our security questionnaire response package (CAIQ-Lite format), and our latest penetration test executive summary.

Request Security Review Materials

Security Contact

Security incidents & vulnerabilities:
security@polarisgovernance.com
Data privacy requests:
privacy@polarisgovernance.com
Legal and compliance inquiries:
legal@polarisgovernance.com