Trust Document

A Word on Syntaro Data Privacy and Security

We at baseVISION take data privacy and security seriously and operate under the premise of requesting and storing only the data we truly need for a solution to function. All our data is stored in a secure Azure Cloud environment and least privilege access is used internally for such data. Only operational users truly in need of access to the data have access to it. For modules not owned by baseVISION or provided by other parties, please refer to their respective data trust documents.

Syntaro Portal & App Management

For the Syntaro modules to function with your Azure AD environment you’ll be required to grant your Syntaro tenant access to your Azure AD resources with the following privileges:

Type Permission
Application Read directory data Portal
  • Request E-Mail address of tenant admins in Syntaro to send important service notifications. This is because we don’t save any e-mail address excluding the verified invoicing e-mail address.

App Management P2

  • Sync device id’s which are assigned to an Azure AD Group specified as a deployment ring.
Delegated Sign in and read user profile Portal
  • Display Profile picture and display name in the web interface.
Delegated Read all users basic profiles Portal
  • Azure AD User Search to assign permissions in the Syntaro Portal.
Delegated Read directory data Portal
  • Azure AD Group Search to assign permissions in the Syntaro Portal.App Management P2
  • Azure AD Group Search to assign group to a deployment ring.
Delegated Access the directory as the signed-in user Portal
  • Permission needed during sign up to register Application as Enterprise Application in Azure AD. Therefore the Global Admin right of the signed in user is used.

We do not store the information we can receive through these permissions in our environment. Information is however temporary available in application cache for display purposes. What we do store is the following: – Tenant ID – User ID – Group IDs (Object ID in Azure AD) – Email and IP Address of person accepting EULA

This is necessary for us to map permission assignments and record who accepted the terms.

Review possibility You can always review your Azure AD audit log to check which actions we take in your Azure AD.

WimAsAService Trust Statement

WimAsAService has as a separate user store and hence handles some data a bit differently.
What we store Why we store it Who has access to it
User E-Mail Address This E-Mail address is needed to send Mails to the users, to inform them when an Image generation has started and when one is finished or run in to problems. We also use this E-Mail address to send other information concerning WimAsAService to the user in form of a newsletter. Content of that are, new Windows build availability, new Features, planed or unplanned system interrupts. Therefor the E-Mail addresses get imported into our CRM Solution. The user himself. The tenant administrators of your tenant. baseVISION employees
Username It is used by the users to logon The user himself. The tenant administrators of your tenant. baseVISION Support personnel
User Password It is used by the users to logon. But it is stored as hash on our Server baseVISION Support personnel can see the hashed password but not the real password.
Tenant E-Mail Address This E-Mail address is needed to send Mails when the scheduler function is used, to inform you when an Image generation has started and when one is finished or run in to problems. We also use this E-Mail address to send other information concerning WimAsAService to the user in form of a newsletter. Content of that are, new Windows build availability, new features, or planed or unplanned system interrupts. Therefor the E-Mail addresses get imported into our CRM Solution. The tenant administrators of your tenant. baseVISION employees
Content of your uploaded packages To install your custom applications into your images we need that information. baseVISION Support personnel
Content of your uploaded PowerShell Scripts To execute your custom PowerShell Scripts we need that information. All users in your WimAsAService Tenant. baseVISION Support personnel
Content of your uploaded PPKG Files To apply your custom PPKG Files into your images we need that information. All users in your WimAsAService Tenant. baseVISION Support personnel

This document is valid as of July 3rd, 2019 version 1.1