EN FR
SYAGA Consulting Trust Center Don't take our word for it. Check.

Trust Center - Microsoft 365

How do you know we never see your data?

You don't have to take our word for it. Our collector pseudonymises your data on your own machine, before anything is sent: the analysis service only ever receives tokens. And you can check it yourself, in four independent ways.

Our principle: anything a page displays is not proof. Whoever controls the screen controls the message. So the real proofs below are each, individually, outside our control: your tenant, your network, public code, a third-party archive.

The mechanism

Your data never leaves your browser

The collector always follows the same chain. The pseudonymisation key is generated locally and never leaves your machine.

Least privilege

After your consent on the official Microsoft screen, we read your tenant's security configuration, never writing anything to it.

Local pseudonymisation

Names, e-mails, identifiers are replaced with tokens on your machine, before anything is sent.

Only tokens are sent

Only the tokens travel to the analysis service. Your real values stay with you.

Re-contextualisation

The report is re-matched to your real labels locally, in your browser.

Fail-closed: by default, everything is tokenised. Only a handful of public Microsoft configuration values (e.g. Enabled, ExternalUserAndGuestSharing) remain in clear text, because they are needed for the evaluation. An unknown value is tokenised, never the other way round.

The four proofs

Four checks, none of them us

Each proof relies on a different third party, at a different point in time. None of them asks you to simply trust our word.

Checked by: Microsoft

Your tenant, at least privilege

Access is granted via an application built on least privilege (the narrowest permissions Microsoft offers for each scope), granted on the official Microsoft consent screen and revocable at any time. The Service never writes, modifies or deletes anything.

You check: in your own Entra console / Microsoft admin centre, even before paying.
Checked by: your network

A single point of egress

The collector can only reach a single application destination, declared in manifest.json (host_permissions + CSP connect-src). Everything else is Microsoft.

You check: on your own firewall or network capture. These are your bytes, on your own hardware, which we do not control.
Checked by: the community

The code is public

The code that runs on your machine is the code that is published. The boundary is readable: pseudonymize.mjs and the keepClear() function in pseudo_whitelist.mjs. SHA256SUMS fingerprints, reproducible build.

You, or any researcher or competitor, can check: github.com/SYAGA-CONSULTING/syaga-audit-collecteur. Any discrepancy would be publicly exposable.
Checked by: time

A dated archive

The published code is timestamped by an independent third party (Internet Archive), so it can be proven after the fact that what was running was indeed what was declared.

You check: public snapshot dated 4 July 2026 (21:12, Paris time), which you can keep and check independently, without going through us.

In practice

What leaves your machine, and what stays

The boundary is clear: your identities become tokens; only public configuration values remain readable.

What NEVER leaves (tokenised)

User names••••
E-mail addresses••••
Account identifiers••••
Domain names, groups••••

What is sent (tokens + public config)

Each identity, replaced bytoken_a1b2
MFA enabledEnabled
External sharingExternalUser...
One verdict per rulePass / Fail

What isn't public

Our engine stays private - and that's no risk to you

The rule catalogue, the scoring and the reporting engine live server-side.

They aren't needed to check our confidentiality promise: whatever the server does, it only ever receives tokens. That is precisely what the public repository lets you check. Every rule in the catalogue is also tied to an official source: we index what already exists, we invent nothing.