Maester Maester Cloud
Start now

Security model

Maester Cloud holds your security evidence, so its own security model is deliberately simple to audit.

Dedicated, isolated environments

Every hosted customer gets their own Azure resource group: their own portal, their own API, their own storage account, in the region they chose. There is no shared database and no multi-tenant application tier — a defect or compromise in one customer's stack has no path to another's. The public website and signup system have no access to customer environments; provisioning runs in a separate control plane under its own identity.

Identity: yours, not ours

  • Portal sign-in uses an Entra application registered in your tenant, created by you during setup. It is a public client (PKCE) — no client secret exists — with user assignment required, so only people you assign can authenticate. Your Conditional Access policies apply, because it's your app.
  • The API trusts only your tenant. Every portal request carries a token your tenant issued for your app; the API validates issuer, audience, signature, and tenant on each call. Report uploads are validated the same way — your environment rejects tokens from any other tenant.
  • Workloads use managed identities. Drift-mail sending uses workload identity federation against your mailbox app. Across the entire product there are zero client secrets — nothing to store, rotate, or leak.

Data handling

  • What's stored: your raw report files and the parsed per-test results, in your region, in your environment's storage account.
  • Artifact access: report downloads stream through the authenticated API. We deliberately do not mint shareable storage URLs — a link that outlives the click is a bearer token, and we rejected that design.
  • Billing data stays with Polar (our merchant of record). Our systems keep only your Polar customer id, email, name, plan, and subscription status — no addresses, no payment details.
  • The portal page itself loads before sign-in (standard for single-page apps); it contains no data. Every piece of content requires a validated token from your tenant.

Things you control

  • Who can sign in (app assignment in your Entra tenant).
  • Who can upload (token issuance in your tenant; the upload pipeline label tells you which pipeline sent each run).
  • Admin consent for the two delegated permissions (openid, User.ReadBasic.All) — review them; that's the entire surface.