Trust & Security
Access, audited. · esmeris.com
Esmeris exists to show you who has access to your company's data. That only works if you can trust us with the visibility required to do it. This page explains exactly what we can see, what we can't, and how we protect what you share with us. If anything here is unclear, email security@esmeris.com — a human who works on the product will answer.
Read-only by design
The credentials you grant us are technically incapable of making changes. When we add optional remediation features in the future, they will use separately requested permissions that you can decline while keeping the audit.
What we access — and what we never touch
We never access: the content of any email, file, document, chat, calendar event, or attachment. Not "we access it but don't store it" — the permission scopes we request do not include content access at all. You can verify this yourself on the consent screen: every scope we request is listed there, and none of them grants content access.
Exact scopes requested
Google Workspace:
| Scope | What it allows |
|---|---|
| admin.directory.user.readonly | Read user accounts, status, admin roles, MFA enrollment |
| admin.directory.user.security | Read per-user third-party OAuth token grants |
| admin.reports.audit.readonly | Read sign-in and token audit events |
| userinfo.email | Read the authorizing admin's email address |
Microsoft 365 (application permissions):
| Permission | What it allows |
|---|---|
| User.Read.All | Read user directory and account status |
| Application.Read.All | Read enterprise app registrations and OAuth grants |
| Directory.Read.All | Read directory roles and org-wide consent |
| AuditLog.Read.All | Read sign-in activity |
| Reports.Read.All | Read MFA registration details |
How your data is protected
Everything is encrypted in transit (TLS 1.2+) and at rest. OAuth credentials receive envelope encryption with keys held in a dedicated key-management service — decryption only inside isolated scan workers, and tokens never appear in logs. Production access is limited to named engineers with hardware-key MFA, and every access is logged.
Your data stays yours
We don't sell your data, share it with advertisers, or use it to train AI models. Data from your tenant is used for one thing: producing your audit.
Deletion you control — no support ticket required
Disconnect a tenant and our credentials are revoked and that tenant's scan data is deleted immediately. Delete your organization or account and everything goes with it, including backups within 30 days. There is no "email us to delete your data" — the button is in your settings.
Subprocessors
| Provider | Purpose | Region |
|---|---|---|
| Vercel | Application hosting | US |
| Neon / Supabase | Database hosting | US |
| Stripe | Billing (we never store card numbers) | US |
| Resend | Transactional email | US |
| Sentry | Error reporting (tenant data excluded) | US |
We update this list before adding any new subprocessor that handles customer data.
Reporting a vulnerability
Report issues to security@esmeris.com. We acknowledge within 2 business days and won't pursue legal action for good-faith research that respects user privacy and avoids service disruption.
Compliance posture, stated honestly
We are an early-stage company and we'd rather tell you precisely where we are than gesture at badges. Our Google Workspace integration is undergoing Google's OAuth application verification including its security assessment requirements for restricted scopes. Our Microsoft application is publisher-verified. Our policies and engineering practices are written to SOC 2 control expectations, and a SOC 2 Type I audit is planned once the product reaches general availability.