Permissions and data handling

Who we are

Caleta IT Solutions Limited (registered in England, MPN ID 6315717). We're a Microsoft Verified Publisher. The app registration name in your tenant will be Caleta Cost Review.

Permissions we request

One scope, requested as a delegated permission:

What this means in practice: the app can only read data that the user signing in can already read themselves via the Azure portal. We don't request application permissions (which would let us act without a user). We don't request Microsoft Graph, mailbox access, directory write, or anything outside ARM.

What data we read

• Cost Management — 12 months of cost line items by resource, service, meter, and month.
• Resource Graph — inventory of resources you own (name, type, location, tags, SKU, basic properties).
• Azure Advisor — cost recommendations Azure has already surfaced for you.
• Reservation recommendations — Azure's estimates of where Reserved Instances would save money.
• Azure Monitor metrics — on demand only, during our 24-hour review. CPU, memory, network, storage for resources we're analysing for right-sizing. No metrics are pulled automatically during the scan.

We do not read: secrets, Key Vault contents, storage blob contents, database rows, customer-facing application data, identity / RBAC assignments, or anything in Microsoft 365.

What we store, where, and for how long

• Where: Azure SQL Database in UK South region. UK data residency end-to-end.
• What: the raw API responses above plus the findings our team writes for you. Refresh tokens are stored encrypted at rest using Fernet (AES-128 in CBC mode); access tokens are kept in memory only and never logged.
• Retention: scan data is retained for 12 months after your most recent scan, then deleted. Findings can be deleted on request at any time — email hello@caleta.io.
• Sub-processors: Microsoft (Azure, Entra), Cloudflare (CDN + tunnel). No third-party email processor — transactional emails go through our M365 tenant via Microsoft Graph.

Known limitations and accepted risks

Honest disclosure — these are flagged in our security questionnaire responses too.

• Next.js version in audit reports. The customer-facing web app is built with Next.js, statically exported to Azure Static Web Apps. npm audit reports CVEs in Next.js 14, but the static export deploy mode means none of the affected runtime features (Server Components, middleware, image optimisation, HTTP request handling) ship to production. Next 16 migration is planned post-launch.
• Session afterglow on revoke. Microsoft propagates OAuth consent revocation through the refresh token chain over up to 24 hours. Existing access tokens issued before revocation remain valid for their normal ~1-hour TTL. Our 8-hour session cookie shortens the practical afterglow further but does not eliminate it. Continuous Access Evaluation adoption is planned post-V1.
• No customer-side audit log endpoint yet. We log every operator action (re-pulls, ad-hoc queries, metrics fetches) server-side and will provide an audit extract on request. A self-serve audit endpoint is in the V2 roadmap.

How to revoke

1. Entra portal → Enterprise applications → search for “Caleta Cost Review”
2. Open the app → Properties → Delete

This revokes the tenant-wide consent. Existing scans and findings stored in our database stay until retention expires or you ask us to delete them sooner. Email hello@caleta.io to request immediate deletion of any data.

For IT admins — pre-approve for your tenant

Most enterprises require admin approval before users can consent to new apps. Approving Caleta Cost Review for your whole tenant takes about 30 seconds. Anyone with Cloud Application Administrator, Application Administrator, Privileged Role Administrator, or Global Administrator can do this.

Approve Caleta for our tenant →

Questions or want a security questionnaire filled in? Email hello@caleta.io — we usually turn round in 24 hours. Back to Caleta Cost Review.