MSP License Tracker
Sign in
Security First

Enterprise-Grade Security for Your MSP Data

We take read-only seriously. Your Microsoft 365 tokens are encrypted, your emails are never touched, and you can revoke access at any time.

How We Protect Your Data

Every layer of MSP License Tracker is designed around minimal access and maximum encryption.

Read-Only Microsoft Access

We never modify your Microsoft 365 data. OAuth scopes are limited to reading license information, organization details, and sign-in activity — nothing else.

AES-256-GCM Token Encryption

All Microsoft OAuth refresh tokens are encrypted at rest using AES-256-GCM before being written to the database. Tokens are never stored in plain text.

No Email or File Access

Our Microsoft Graph permissions explicitly exclude mailbox contents, SharePoint files, Teams messages, passwords, and payment card numbers.

TLS 1.3 in Transit

All data exchanged between your browser, our servers, and Microsoft Graph APIs is encrypted in transit using modern TLS. HTTP connections are rejected.

Multi-Factor Authentication

MFA is supported via SMS, TOTP authenticator apps, or backup codes through our Clerk authentication provider.

GDPR Ready

Data processing agreements available on request. User data export and account deletion tools are built in. Contact support@msplicensetracker.com.

Infrastructure Security

Hosted on Vercel (frontend) and Railway (PostgreSQL). Database connections are private-network only. No public database access.

Token Revocation

Revoke Microsoft OAuth consent at any time from your Microsoft admin portal or by removing the tenant inside MSP License Tracker.

SOC 2 Type II (In Progress)

Annual third-party security audits are planned. Compliance documentation and DPAs are available to Enterprise customers upon request.

Exact Microsoft Graph Permissions We Request

No hidden scopes. Here is every permission MSP License Tracker requests and exactly why.

Microsoft Graph OAuth Scopes

Organization.Read.All

Read tenant display name and verified domain

Directory.Read.All

Read users and directory objects

LicenseAssignment.Read.All

Read per-user license assignments

User.Read.All

Read user profiles and sign-in timestamps

offline_access

Maintain a refresh token to sync on your schedule

We never request mail, files, calendar, Teams messages, or write permissions of any kind.

Ready to See What You're Missing?

Start your 14-day free trial. Read-only access. No credit card required.