Permissions and data handling

What Caleta Cost Review asks for, why, what we store, and how to revoke. Written for IT and security teams reviewing before consent.

Who we are

Caleta IT Solutions Limited (registered in England). We're a Microsoft Verified Publisher. The app registration name in your tenant will be Caleta Cost Review.

Permissions we request

Two delegated permissions, requested in two steps:

ScopeWhat it coversType
User.Read (Microsoft Graph)Signs you in and reads your own basic profile (name and email). Requested at sign-in. Nothing else in your directory.Delegated
https://management.azure.com/user_impersonationAzure Resource Manager APIs (Cost Management, Resource Graph, Advisor, Azure Monitor metrics) acting as the signed-in user. Never beyond their existing Azure RBAC. Requested when you run a scan.Delegated

What this means in practice: the app can only read data that the user signing in can already read themselves via the Azure portal. We don't request application permissions (which would let us act without a user). The only Microsoft Graph permission is User.Read (your own profile, used to sign you in) – no mailbox, no directory write, no reading other users or groups, and nothing outside ARM.

What data we read

  • Cost Management. 12 months of cost line items by resource, service, meter, and month.
  • Resource Graph. Inventory of resources you own (name, type, location, tags, SKU, basic properties).
  • Azure Advisor. Cost recommendations Azure has already surfaced for you.
  • Reservation recommendations. Azure's estimates of where Reserved Instances would save money.
  • Azure Monitor metrics. On demand only, during our 24-hour review. CPU, memory, network, storage for resources we're analysing for right-sizing. No metrics are pulled automatically during the scan.

We do not read: secrets, Key Vault contents, storage blob contents, database rows, customer-facing application data, RBAC assignments, other users or groups, or anything in Microsoft 365. The only identity data we read is the signed-in user's own name and email, to sign you in.

What we store, where, and for how long

  • Where. Azure SQL Database in UK South region. UK data residency end-to-end.
  • What. The raw API responses above plus the findings our team writes for you. Refresh tokens are stored encrypted at rest using Fernet (AES-128 in CBC mode). Access tokens are kept in memory only and never logged.
  • Retention. We keep your scan data until you ask us to delete it. Historical scans help us improve findings for your future reviews and inform new check patterns. To request deletion at any time, email privacy@caleta.io.
  • Sub-processors. Microsoft (Azure, Entra) and Cloudflare (CDN + tunnel). No third-party email processor. Transactional emails go through our M365 tenant via Microsoft Graph.

Cookies

The Cost Review app sets one cookie:

  • cr_session. Strictly necessary session cookie. httpOnly, SameSite=Lax, secure on the production hostname. Holds a signed reference to your server-side session row. Tokens are never stored in the cookie itself. Expires after 8 hours of inactivity or when you sign out.

The wider caleta.io site uses analytics and consent cookies covered by the main privacy policy.

Known limitations

Honest disclosure:

  • Session afterglow on revoke. When you revoke consent in Entra, existing access tokens remain valid until their normal 1-hour expiry. Refresh token invalidation can take Microsoft up to 24 hours to propagate. Our session cookie shortens this in practice but does not eliminate it. Continuous Access Evaluation adoption is planned post-launch.
  • No self-serve audit log endpoint yet. We log every operator action server-side (re-pulls, ad-hoc queries, metrics fetches) and will provide an extract on request. A self-serve audit endpoint is on the roadmap.

How to revoke

  1. Entra portal, Enterprise applications, search for “Caleta Cost Review”.
  2. Open the app, Properties, Delete.

This revokes the tenant-wide consent. Existing scans and findings stored in our database stay until you ask us to delete them. Email privacy@caleta.io to request deletion of any data.

For IT admins: pre-approve for your tenant

Most enterprises require admin approval before users can consent to new apps. Approving Caleta Cost Review for your whole tenant takes about 30 seconds. Anyone with Cloud Application Administrator, Application Administrator, Privileged Role Administrator, or Global Administrator can do this.

Approve Caleta for our tenant

Questions or want a security questionnaire filled in? Email hello@caleta.io. We usually turn round in 24 hours. Back to Caleta Cost Review.