Trust & Security

Architecture, security, and your data

How Bastion is deployed, how your data flows, and the controls that keep it safe. Built by a security team — for security teams.

Deployment models

Run Bastion the way your compliance and data-residency needs require.

SaaS (today)

Read-only API connection to your Microsoft 365 / Entra tenant. Fastest to start; nothing to host.

Hybrid connector (roadmap)

A lightweight collector running in your network; analysis in our cloud or yours.

On-prem / air-gapped (roadmap)

Run the full pipeline inside your environment for the most sensitive estates.

How your data is handled

Bring-your-own-key

You hold the API keys for every model provider. We never resell access or store your raw keys beyond what an engagement requires.

Encryption everywhere

Data is encrypted in transit (TLS 1.2+) and at rest. Secrets are isolated and access-scoped.

Human-approved changes

Remediation is never applied without explicit human approval. Every change is logged and reversible.

Least-privilege access

Role-based access, scoped credentials, and full audit trails for every action in your environment.

Data flow, in plain terms

  1. A read-only connection inventories your Microsoft 365 / Entra posture across 12+ domains.
  2. Findings are analyzed and prioritized — using your own model keys under BYOK.
  3. You review the AI-drafted, exact remediation for each finding in the console.
  4. Your team applies the fix — Bastion never writes to your tenant. Everything is logged.
  5. Re-scan to verify the gap is closed — or subscribe to Monitor for scheduled, continuous re-scans.

We collect the minimum technical data needed to deliver the service, and we do not sell your data.

Frameworks & compliance

MITRE ATT&CK CIS Benchmarks NIST CSF SOC 2 ISO 27001

We map every finding and control to these frameworks — including a SOC 2 / ISO 27001 / NIST CSF crosswalk in the compliance evidence pack — to keep your reporting and audits aligned.

Our own certifications:Bastion's SOC 2 Type II and ISO 27001 audits are in progress — reach out for our current status and security questionnaire.

Sub-processors

ProviderPurposeRegion
StripePayments & subscription billingUS / global
VercelWebsite & application hostingUS / global edge
ResendTransactional email (sign-in, contact)US

Responsible disclosure

Found a security issue? We want to hear from you. Email security@bastionsecurity.dev with details and we will respond promptly. Please give us reasonable time to remediate before public disclosure. See our security.txt.

Privacy & data-rights requests: privacy@bastionsecurity.dev.