Security and compliance, by default.

GraphWarden holds your Microsoft Graph credentials in your own Azure Key Vault, enforces policy on every call, and emits an audit trail that stands up to a regulator.

Zero-knowledge credentials

GraphWarden never stores your Microsoft Graph credentials. They live in your own Azure Key Vault, and GraphWarden is granted `get` permission on specific secrets — read-only, auditable from your tenant.

If GraphWarden is compromised, the blast radius is bounded: no stored secrets means no stolen secrets.

Data residency

Hosted tier: the proxy runtime is in Azure Canada Central; the control plane runs in Canada East (OVHCloud). On-premise tier: the proxy runs entirely in your infrastructure — no data leaves your environment.

Request a compliance briefing

Walk through our architecture, ruleset model, and audit trail with your security or compliance team.

Request a briefing