X41 Cloud Suite – Privacy Polic
X41 Limited (“X41”, “we”, “our”, “us”) is committed to protecting the privacy and security of the organizations and individuals who use the X41 Cloud Suite. This Privacy Policy explains what data we collect, how we use it, how it is stored, and the safeguards we apply.
1. Purpose of Data Collection
The X41 Cloud Suite collects log and security-related metadata from Microsoft 365 (Office 365) environments. This data is used to provide analytics, benchmarking, and security insights for our partners and their customers.
We do not collect the content of emails, files, or messages.
2. Data We Collect
X41 collects metadata from Microsoft 365 and Azure APIs. This may include:
Authentication events (e.g., successful or failed login attempts)
File access events (e.g., filenames and access activity, but not file content)
Mailbox events (e.g., forwarding rules, but not email content)
Application and usage events
User profile information (e.g., name, job title, group membership, email address, and partially redacted phone numbers used for multi-factor authentication)
We group data by sensitivity and take measures to reduce exposure of personal information.
3. Where Data Is Stored
Data is stored in two locations:
Partner Environment (Primary storage):
Customer data is stored in the partner’s managed infrastructure (e.g., Elastic clusters).
To ensure compliance and regional data residency, customer data is stored within the same Microsoft Azure region as their Microsoft 365 environment.For example: EU customers’ data is stored in Azure EU regions; South East Asia customers’ data is stored in Azure South East Asia regions.
X41 Environment (Limited storage):
Technical metadata used to improve performance and benchmarking, such as:Threat intelligence indicators (e.g., known malicious IP addresses)
Collection status (e.g., last time data was fetched)
Trusted network ranges provided by customers
Redacted security recommendations for benchmarking
No sensitive customer or personal data is centrally stored by X41.
4. Data Retention
Data is retained for 90 days in Elastic clusters, after which it is automatically deleted.
Partners may extend retention by managing their own snapshots and backups.
All records are tagged with a “Data Owner” identifier to ensure complete removal once engagements end.
5. Security and Access Controls
X41 Cloud Suite operates within secure, private Azure environments.
Data collection uses service principals with public/private key authentication, limited to fixed IP ranges.
Multi-Factor Authentication (MFA) is enforced for all X41 accounts and customer access points (e.g., Kibana, Elastic Cloud).
Access to central systems is restricted to a single accredited security professional at X41.
External components (such as the CloudHelper API) are restricted to pre-approved IP ranges and secured in accordance with UK NCSC best practices.
6. Customer Control
Customers can request exclusion of certain sensitive event types, though this may reduce the effectiveness of security monitoring.
Partners may choose to operate with their own service principal identities for branding or compliance purposes.
Customers can request deletion of their data at any time.
7. No Access to Content
X41 never collects or stores the content of emails, files, messages, or conversations.
All data collected is metadata used solely for security, compliance, and performance analysis.
8. Legal Basis & Compliance
X41 processes data as a security analytics provider in compliance with applicable data protection laws, including the UK GDPR.
We process data only:
With partner authorization
For the purposes of providing contracted analytics and benchmarking services
For no other unrelated purpose
9. Your Rights
Depending on your location, you may have the right to:
Access the data we process about you
Request correction or deletion of your data
Restrict or object to processing in certain cases
Request a copy of your data
To exercise these rights, please contact us at privacy@x41.io.
10. Contact
If you have questions about this Privacy Policy or how your data is handled, please contact:
X41 Limited
Email: privacy@x41.io