Data security

Built on the security backbone you already trust.

GemCore OS runs on Microsoft Azure and authenticates with Microsoft Entra ID — the same enterprise identity, encryption and threat-protection backbone that already secures your Microsoft 365 tenant.

🔐

Identity & single sign-on

Sign-in is delegated to Microsoft Entra ID. Conditional Access, multi-factor authentication and device-compliance policies you already enforce on Microsoft 365 apply to GemCore OS automatically — no parallel password store to manage or breach.

🛡️

Encryption in transit and at rest

All traffic is served over modern TLS. Application data and backups are encrypted at rest by the underlying Azure database service, with additional safeguards applied to the most sensitive fields.

🌐

Private network connectivity

Application services reach back-end data over private connectivity rather than the public internet. Administrative access is gated, scoped, and reviewed.

👤

Role-based access & least privilege

Every user is assigned a role; every role is mapped to a precise scope of pages, actions and records. Access is enforced at multiple layers, and access reviews run on a regular cadence.

📜

Audit logging & monitoring

Authentications, record changes and administrative actions are written to immutable audit logs. Telemetry flows into a centralized security platform for continuous review and alerting.

💾

Backups & disaster recovery

Automatic point-in-time restore, plus geo-redundant long-term retention so a regional incident doesn't become a data-loss event. Recovery procedures are documented, tested and runbook-driven.

🔍

Continuous threat detection

Continuous detection scans for anomalous logins, data-exfiltration patterns and known vulnerabilities. Alerts route to the on-call security responder in real time.

📋

Inherited compliance

By running on Microsoft Azure, GemCore OS inherits the platform-level certifications Microsoft maintains — including ISO 27001, SOC 1 / SOC 2 / SOC 3, HIPAA, GDPR, CCPA and PCI DSS. Attestations are published through the Microsoft Service Trust Portal.

What this means in practice.

You don't take on a new vendor's security model. You extend the one your team already audits and trusts. Your Microsoft tenant remains the source of truth for identity. Your data stays inside the same enterprise-grade perimeter you've already vetted.

How we operate

Access reviewsPermissions reviewed on a regular cadence; immediately revoked on role change.

Dependency & patch hygieneAutomated scanning of code dependencies and timely application of security updates.

Secure developmentCode review, automated static analysis and security testing in the build pipeline.

Secret managementCredentials and signing keys held in a managed secret store, never in source.

Incident responseDocumented IR plan with defined severities, on-call rotation and post-incident reviews.

Vendor diligenceSubprocessors are reviewed and contracted in writing before any data is shared.

Personnel securityMandatory security training and confidentiality agreements for everyone with access.

Data minimizationWe collect only what's needed for the platform to do its job — see the Privacy Policy.

For operational reasons, we don't publish detailed architecture, configuration, or vendor names beyond what's above. If your security or vendor-risk team needs deeper diligence — SIG Lite, CAIQ, custom questionnaires, or a walk-through under NDA — we're happy to provide that directly.

Read the privacy policy → Sign in to your workspace

Have a security questionnaire to send our way? Email contact@gemcoreos.com and we'll route it to the right person.