Maester Maester Cloud
Start now
Legal

Privacy Statement

Your privacy is important to us. This statement explains what data Maester Cloud collects, how we use it, and the choices you have.

Effective date: June 11, 2026

You control your data

Your assessment results belong to you. You can export or delete them at any time.

No advertising, no mining

We never sell your data, use it for advertising, or mine it for purposes beyond providing the service.

Your region, your data

You choose your Azure region at setup. Customer Data stays in that region.

No tenant access

Maester Cloud does not read your Microsoft 365 tenant. You run assessments and send us the results.

Who we are and what this covers

Maester Cloud ("we", "us") provides a hosted history, drift detection, and evidence service for Maester and Microsoft Zero Trust Assessment results. This statement covers the maester.cloud website, the Maester Cloud portal, and related services we operate. It does not cover the open-source Maester project itself, which runs entirely in your own environment, or self-hosted deployments of Maester Cloud, which you operate under your own privacy practices.

Two roles: controller and processor

Like most business services, we handle data in two distinct roles, and your rights differ depending on which applies.

Customer Data — we are the processor. The assessment results, reports, configuration, and accepted-risk decisions your organization sends to your Maester Cloud portal are your organization's data. Your organization is the data controller; we process this data only on your organization's behalf and instructions, to provide the service. If you access Maester Cloud through an account managed by your organization, your organization's policies apply, and requests about that data should go to your administrator first.

Account, billing, and website data — we are the controller. When you visit this website, sign up, subscribe, or contact us, we decide how that data is handled and are directly responsible to you for it.

Personal data we collect

We collect only what we need to provide and operate the service:

  • Account and setup data. Your name, work email address, the subdomain you claim, your chosen Azure region, and the Microsoft Entra tenant and application identifiers needed to authenticate your portal.
  • Billing data. Subscription and payment details, processed by our payment provider. We do not store full payment card numbers.
  • Support and communications. Emails and messages you send us, so we can respond and keep a record of the conversation.
  • Service logs. Standard operational logs (such as sign-in events, API requests, IP addresses, and error diagnostics) used for security, troubleshooting, and abuse prevention.

Portal sign-in uses Microsoft Entra ID through an application registered in your own tenant. Authentication happens against your organization's directory; we receive only the identity claims needed to sign you in.

Customer Data you send to your portal

Maester Cloud does not connect to or read your Microsoft 365 tenant. You run Maester or the Zero Trust Assessment in your own environment and send the results to your portal. Customer Data includes the JSON and HTML result files, parsed test outcomes, your tenant configuration for Maester and Zero Trust Assessment, and the accepted-risk decisions you record. Assessment results can include details about your Microsoft 365 configuration and may include personal data such as administrator account names, depending on the tests you run.

Our commitments for Customer Data:

  • We use it only to provide the service to your organization.
  • We do not sell it, share it with advertisers, or mine it for marketing.
  • We do not use it to train AI or machine learning models.
  • Our staff do not access it in the ordinary course of operations; access is limited to what is necessary to operate the service or support you at your request, and is logged.

How we use personal data

We use the data described above to provide and maintain the service, authenticate users, process payments, respond to support requests, secure the service and prevent abuse, meet legal obligations, and send service communications such as drift alerts and operational notices. We may send occasional product updates to account holders; you can opt out of non-essential email at any time.

How we share data

We do not sell personal data or Customer Data. We share data only with subprocessors that help us run the service — such as Microsoft Azure for hosting and our payment provider for billing — under contracts that restrict them to processing data solely to deliver their function to us. We may also disclose data when required by law, or to protect the rights, safety, or security of Maester Cloud, our customers, or the public.

Government and law enforcement requests

We will not disclose Customer Data to a government or law enforcement agency except as you direct or where required by law. If we are compelled to disclose your data, we will attempt to redirect the request to you, notify you unless legally prohibited from doing so, and challenge requests we believe are invalid or overbroad.

Where data is stored

You choose your Azure region when you set up your portal, and your Customer Data is stored and processed in that region. Account, billing, and website data may be processed in other regions where we or our subprocessors operate, with appropriate safeguards for international transfers where required by law.

Security

Data is encrypted in transit using TLS and at rest on Microsoft Azure infrastructure. Portal access is authenticated exclusively through your organization's Microsoft Entra tenant — there are no separate Maester Cloud passwords to manage or leak. See the security documentation for more detail on our architecture.

Retention and deletion

Customer Data is retained for the history window of your plan (up to five years for assessment results) or until your organization deletes it. When your subscription ends, we delete Customer Data within 30 days, except where we are legally required to retain it. Account and billing records are kept as long as your account is active and afterwards only as long as needed for legal, tax, and accounting purposes. Service logs are retained for a limited period for security and troubleshooting.

Your rights

Depending on where you live, you may have rights to access, correct, delete, or export your personal data, to object to or restrict processing, and to withdraw consent. For data where we are the controller (account, billing, website), contact us using the details below and we will respond as required by applicable law. For Customer Data and access provided through your organization, contact your administrator — your organization controls that data, and we support them in fulfilling these requests. You also have the right to lodge a complaint with your local data protection authority.

Cookies

We use only the cookies and browser storage strictly necessary to operate the service — primarily to keep you signed in to the portal. We do not use advertising cookies or third-party tracking. If we adopt analytics in the future, we will update this statement and ask for consent where required.

Children

Maester Cloud is a business service and is not directed at children. We do not knowingly collect personal data from anyone under 16.

Changes to this statement

We will update this statement as the service evolves. When we make material changes, we will update the effective date above and notify account holders by email or through the portal before the changes take effect.

How to contact us

For privacy questions or to exercise your rights, email maestercloud@jozra.com or use the contact page.