Skip to main content

Data Flow and Data Storage

1. Introduction

This document provides a detailed overview of the data flow and data storage in PowerMove. It covers both data in motion (Data-in-motion) and data at rest (Data-at-rest), as well as storage and retention policies.

2. System Architecture

2.1 Component Overview

PowerMove consists of the following main components:

  • PowerMove Portal: A web application that provides users access to PowerMove functionalities.
  • Microsoft Power Platform: Stores a minimal amount of data necessary for the user interface to function optimally, as well as for troubleshooting and customer support if needed.
  • Azure DevOps Repo: Used to centrally store pipelines so they can be distributed to all customers upon updates.
  • Entra Multitenant Authentication: Ensures secure authentication of users and applications against the customer's Azure tenant, Azure DevOps, and Power Platform.

Flow

2.2 Integration Overview

PowerMove integrates with the customer's existing systems using Microsoft's official APIs, ensuring a secure and reliable connection between components. The following integrations are implemented:

  • Microsoft APIs: PowerMove exclusively uses Microsoft APIs to integrate with Azure DevOps, Microsoft Graph, and Power Platform. This ensures compatibility and robustness in data flow while maintaining high security standards.
  • Authentication with Entra Multitenant Authentication: To ensure that users and applications authenticate securely, PowerMove uses the Microsoft Authentication Library (MSAL). Following security best practices, PowerMove employs only delegated authentication (Delegated Permissions), meaning the application operates with the same access rights as the user. This provides additional security by ensuring PowerMove does not have more access than necessary, and all operations occur within the user's existing permissions.
  • Delegated Access: PowerMove's integrations are designed to automate tasks that users already have permission to perform manually. By using delegated access, PowerMove ensures that no operations are executed beyond the user's existing rights, contributing to a secure and controlled automation process.
  • Data Management: Only necessary data regarding the customer, user, environment, and solution is stored to ensure PowerMove functions optimally. This data includes configuration, monitoring, and troubleshooting information. In case of errors or issues, relevant information is temporarily stored to assist customers with troubleshooting and improving setup.

3. Data at Rest and in Motion

3.1 Data at Rest (Data-at-rest)

Data stored by PowerMove when not in motion is securely kept in Microsoft Dataverse. Dataverse is a reliable and scalable data platform within Microsoft Power Platform, utilizing advanced security mechanisms to protect stored data.

Storage Location and Security Mechanisms

  • Storage Location: PowerMove stores necessary information about customers, users, environments, and solutions in Microsoft Dataverse. This includes configuration data and troubleshooting data.
  • Security: Dataverse employs multiple layers of security to protect data at rest, including:
    • Encryption: All data stored in Dataverse is encrypted both at rest and in transit using strong encryption algorithms, including AES-256.
    • Role-based Access Control (RBAC): Access to data in Dataverse is managed through role-based access control. Only authorized users with specific roles can access data based on assigned permissions.
    • Data Minimization: PowerMove only stores the necessary amount of data to maintain functionality, following the principle of data minimization. This reduces risks associated with potential data breaches.

3.2 Data in Motion (Data-in-motion)

Data is transferred between PowerMove and the customer's tenant as follows:

  • Protocol: All data transmission occurs via HTTPS to ensure encrypted communication.
  • APIs: REST APIs are used for all communication.
  • Encryption: Data is encrypted using TLS (Transport Layer Security) during transmission to prevent unauthorized access.

4. Data and Data Types

AreaFieldField TypePurpose
AccountApplication Id🔤 TextConfiguration
AccountAzure Organization Name🔤 TextTroubleshooting
AccountTenant Id🔤 TextConfiguration
ContactId🔤 TextConfiguration
ContactEmail🔤 TextTroubleshooting, Support
ContactFull Name🔤 TextTroubleshooting, Support
ContactJob Title🔤 TextTroubleshooting, Support
ContactMobile Phone🔤 TextTroubleshooting, Support
ContactLast Used📅🕒 Date & TimeLicensing
EnvironmentCreated Time📅🕒 Date & TimeTroubleshooting
EnvironmentId🔤 TextConfiguration
EnvironmentInstance State🔤 TextTroubleshooting
EnvironmentLanguage🔤 TextTroubleshooting
EnvironmentLocation🔤 TextTroubleshooting
EnvironmentName🔤 TextConfiguration
EnvironmentProvisioning State🔤 TextTroubleshooting
EnvironmentType🔤 TextTroubleshooting
EnvironmentUnique Name🔤 TextTroubleshooting
EnvironmentURL🔤 TextConfiguration
EnvironmentVersion🔤 TextTroubleshooting
ProjectDevOps Id🔤 TextConfiguration
ProjectName🔤 TextConfiguration
RepoDefault Branch🔤 TextConfiguration
RepoDevOps Id🔤 TextConfiguration
RepoName🔤 TextConfiguration
SolutionDisplay Name🔤 TextConfiguration
SolutionName🔤 TextConfiguration

Additionally, Application Secrets are stored in Azure Key Vault.

5. Storage and Retention

Data is retained according to the following policy:

  • User Data: Retained for up to 1 year after the last activity to ensure continuous service.
  • Logs: Retained for up to 6 months for troubleshooting and auditing purposes.

Data Storage Location

All data related to PowerMove is stored in Microsoft Dataverse, located in the Europe region. Furthermore, all Azure components used in the service are located in North Europe, ensuring that all data processing and storage occur within defined geographic areas in Europe.

6. Compliance

  • GDPR: PowerMove complies with GDPR requirements by ensuring the security of personal data and offering users the right to access and delete their data.