ITSailor.io

Read-only by default.
Transfers documented by design.

ITSailor runs diagnostic tools against other people's tenants. That sets a high bar. This page records the access model, sub-processors, incident process, and limits that apply before an engagement starts.

Data residency

EU-first, with transfers disclosed

We choose EU regions where available. When a provider can process data outside the EU/EEA, its DPA and an approved transfer safeguard must cover that processing.

Access scope

Read-only by design

Audit engagements use OAuth delegated permissions or service principals scoped to least privilege (e.g. M365 Reports.Read.All, Azure Reader, DNS Read). Write access is requested only when an explicit, scoped task requires it and is signed off in the engagement letter.

Credential handling

We never receive your credentials

Passwords, secrets, API keys, and recovery codes are never requested, copied, or stored. Authentication runs through your identity provider using standard OAuth or short-lived service principals you control and can revoke at any time.

Encryption

HTTPS in transit, provider encryption at rest

itsailor.io is served over HTTPS with an HSTS response header. Data stored by sub-processors uses their documented encryption controls. We do not roll our own crypto.

Retention

Minimal and time-boxed

Audit input and reports: 12 months after engagement closure unless tax / accounting law requires longer. Contact form submissions: 24 months from last interaction. Invoices and VAT records: 10 years (Maltese statutory). On request, we delete within 30 days where law permits.

Authentication

Separated daily and privileged identities

The daily Microsoft 365 account has no standing admin role. Privileged access uses a separate PIM-eligible account, with two unlicensed recovery accounts retained for break-glass access. Conditional Access is being staged in report-only mode.

Compliance

What we are obligated to, what we align with, and what we are transparent about not yet having.

GDPR (EU 2016/679)

ITSailor acts as Data Controller for website and prospect data, and as Data Processor under engagement letters. Data Processing Agreement (DPA) available on request from michal.jatczak@itsailor.io.

ePrivacy & PECR alignment

Cookie banner and consent flow are deployed before any non-essential tracker is added. Currently no analytics, ad pixels, or non-essential cookies are loaded.

Maltese statutory obligations

VAT registered with the Maltese Office of the Commissioner for Revenue (MT32760411, validated in VIES). D-U-N-S Number 507601021 issued by Dun & Bradstreet for vendor onboarding verification. Books and invoices retained for 10 years per Maltese law.

ISO 27001 / SOC 2 alignment

Not certified at this stage. Practices are designed against ISO 27001 Annex A controls and SOC 2 Trust Services Criteria so that engagements can later inherit a clean audit trail when certification is pursued.

Incident response

Sole-trader operations, enterprise-trained playbook. Timeline below is the contractual default; engagement letters can tighten it.

  1. T+0h

    Operator triages signal, contains scope, freezes affected access tokens, and opens internal incident ticket.

  2. T+24h

    Affected customers receive a written notification with what happened, what data is potentially involved, what we are doing, and what they should do.

  3. T+72h

    Where personal data is involved, the Maltese Information and Data Protection Commissioner (IDPC) is notified per GDPR Art. 33.

  4. T+30d

    Post-incident report shared with affected customers covering root cause, timeline, remediation, and preventive controls.

Sub-processors

The full list of third parties that may process personal data on our behalf. Any change is reflected here and in the privacy policy before it takes effect.

  • Vercel Inc.
    Website hosting and deployment
    Global infrastructure
    View DPA
  • Microsoft Ireland Operations Ltd.
    Microsoft 365 email and collaboration
    Ireland
    View DPA
  • Cloudflare, Inc.
    Authoritative DNS for itsailor.io
    USA / EU edge
    View DPA
  • Resend, Inc.
    Contact-form email delivery
    USA / global infrastructure
    View DPA

Vulnerability disclosure

If you believe you have found a security issue affecting itsailor.io or any ITSailor service, please report it privately to michal.jatczak@itsailor.io.

  • Initial acknowledgement within two working days.
  • Fix or mitigation timeline shared within ten working days.
  • Good-faith researchers are not pursued for testing that respects the boundaries below.
  • Out of scope: physical attacks, social engineering, denial-of-service, automated scanners that generate sustained load, and any access to data belonging to other customers.

Operator background

ITSailor is operated from Malta by Michal Jatczak, its Polish founder and cloud architect. His background spans nine years across multi-cloud, M365 administration, network security, and AI automation. ITIL 4 Foundation, ACP-120 (Atlassian), Microsoft Server Infrastructure, and an M.Sc. in Computer Science. Background reference checks are available to enterprise procurement teams.

ITIL 4 FoundationACP-120 Jira Cloud AdminMicrosoft Server InfrastructureM.Sc. Computer Science
Document
Privacy Policy
Data controller, processing bases, retention.
Document
Terms of Service
Acceptable use, IP, governing law.
Request a security review or DPA