search

Security & Trust Center

Your resource center for all security, privacy and compliance information related to a Reporting Hub deployment

The Reporting Hub takes security, privacy and compliance seriously and our goal is to ensure you have all the information you need to ensure your success.

hashtag
Reporting Hub Architecture

The Reporting Hub is a fully deployed web-app that is installed within the customers Azure environment. Our Reporting Hub Architecture documentation provides all the relevant information you will need to understand how the application works within Azure.

The Reporting Hub's policies can be found on our website here:

LogoPrivacy Policythereportinghub.comchevron-right

hashtag
Security & Compliance Considerations for Reporting Hub’s Solution Deployment

At Reporting Hub, we understand the importance of security and compliance in enterprise environments. However, one of the challenges we consistently face is that many security questionnaires and audits operate under the assumption that we function as a traditional SaaS provider. Our solution is fundamentally different in its deployment model, which directly impacts how various security standards apply to us.

hashtag
Fully Deployed in Customer Environments – No Data Access

Unlike most SaaS offerings that host customer data on their own infrastructure, Reporting Hub’s solution is fully deployed within the customer’s environment. This means:

  • We do not store, process, or transmit customer data on our infrastructure.

  • Customers maintain full control over their data security and compliance within their own Azure cloud.

  • Reporting Hub has no access to customer data, ensuring data sovereignty and eliminating risks associated with third-party data storage.

hashtag
Why Traditional Security Audits & Certifications May Not Apply

Many security frameworks such as SOC 2 and ISO 27001 are designed to assess a company’s ability to protect customer data within its own infrastructure. Since Reporting Hub does not store or have access to customer data, many of the security controls and requirements outlined in these frameworks do not apply to our solution.

For example:

  • SOC 2 focuses on the security, availability, and confidentiality of customer data stored within a vendor's systems. Since we do not handle customer data, these controls are not relevant.

  • ISO 27001 pertains to information security management systems (ISMS) for data stored within an organization’s environment. However, since our software runs entirely within the customer’s environment, their own security policies govern data protection, not ours.

hashtag
How We Address Security Concerns

Although traditional SaaS compliance frameworks do not apply, we take security seriously and provide the following assurances:

  1. Secure Code Development – We follow industry best practices for secure software development, including regular code reviews, static/dynamic security testing, and adherence to OWASP standards.

  2. Minimal Attack Surface – Since our solution does not rely on an external multi-tenant infrastructure, the attack surface is limited to what is already protected within the customer’s own security framework.

  3. Customer-Managed Access Control – Since the solution is deployed within the customer’s environment, they retain full control over identity and access management (IAM), authentication, and authorization policies.

  4. No Data Retention Risks – Unlike SaaS providers that must implement data protection mechanisms, Reporting Hub does not retain any customer data, eliminating concerns around data leaks or breaches.

  5. Compliance Alignment – While traditional SaaS security frameworks do not apply, we align with customer security policies and ensure our software integrates seamlessly into existing security models.

hashtag
Custom Security Assessments

Since security audits are often based on predefined templates for SaaS solutions, we recommend that customers work with us to tailor security assessments that are relevant to our specific deployment model. Instead of evaluating Reporting Hub as a data processor or cloud service provider, security reviews should focus on:

  • Software security practices (e.g., secure development lifecycle, vulnerability management).

  • Integration security (e.g., how the solution interacts with customer data sources securely).

  • Deployment security (e.g., customer-configurable security controls within their environment).

While SOC 2, ISO 27001, and similar frameworks are important for traditional SaaS vendors, they are not applicable to Reporting Hub due to our deployment model. Instead, our security posture is built around secure software development, integration security, and customer-controlled deployment.

We are happy to work with customers to address any security concerns within the context of their specific environment and ensure that Reporting Hub meets their security and compliance requirements without unnecessary overhead from frameworks that do not apply.

hashtag
Reporting Hub Security & Compliance Overview Document

file-pdf
189KB
Reporting Hub Security & Compliance Overview.pdf
PDF
arrow-up-right-from-squareOpen

hashtag
Reporting Hub Application Security Controls

chevron-rightReporting Hub Compliance - Audit Logginghashtag

The Reporting Hub includes built-in logging functionality with both application and audit logs. The logs are captured and stored in the Azure App Service within the client's environment. Below is a list of the information captured in the logs.

Application Logging

  • Any exceptions/errors encountered by the application

  • Information messages for Power BI embedded capacity operations and scheduled tasks in the Reporting Hub

Audit Logging

  • Content page security changes - which security groups and/or individuals are assigned to a content page. This includes if a group/individual's RLS role changes.

  • AD group - when sync groups is initiated, groups that were added/removed are tracked

  • Application roles - when a user or user group's application role changes (user, content admin, application admin)

  • Changes to Tenant admin - any changes made to on a tenant admin page (parent group, assigned workspaces, authentication scheme, billing, etc.)

  • Power BI settings - any changes made to the capacity, time out settings, Power BI gateway*, scheduled refresh

  • Scheduled tasks - add, modify, delete scheduled tasks

  • Subscription changes* - when customer upgrades/downgrades their license

hashtag
Microsoft Security, Privacy & Compliance Documentation

The Reporting Hub is an Azure web application, built within the Azure framework using Microsoft APIs. The benefit of using the Reporting Hub is that you are taking advantage of all the built-in Microsoft security. The below list has been compiled to simplify the sourcing of this relevant information:

Microsoft Trust Center:

LogoTrusted Products and Services | Microsoft Trust Centerwww.microsoft.comchevron-right

Microsoft Data Protection & Privacy:

LogoData Protection with Microsoft Privacy Principles | Microsoft Trust Centerwww.microsoft.comchevron-right

Azure App Service Security:

LogoSecure your Azure App Service deployment - Azure App ServiceMicrosoftLearnchevron-right

Power BI Security

LogoPower BI Security - Microsoft FabricMicrosoftLearnchevron-right
LogoPower BI security white paper - Power BIMicrosoftLearnchevron-right

Data Protection in Power BI

LogoData protection in Power BI - Microsoft FabricMicrosoftLearnchevron-right

Power Platform Compliance and Data Privacy

LogoCompliance and data privacy - Power PlatformMicrosoftLearnchevron-right

Power BI Governance & Compliance - Metadata Scanning

LogoMetadata scanning overview - Microsoft FabricMicrosoftLearnchevron-right

Power BI Embedded Security:

LogoSecurity in Power BI embedded analytics - Power BIMicrosoftLearnchevron-right

Embedded Analytics Access Tokens:

LogoPermission tokens needed to embed a Power BI app - Power BIMicrosoftLearnchevron-right

Service Principal Profiles Security:

LogoUse service principal profiles to manage customer data in multitenant apps - Power BIMicrosoftLearnchevron-right

Microsoft Compliance Offerings:

LogoCompliance offerings for Microsoft 365, Azure, and other Microsoft services.MicrosoftLearnchevron-right
PreviousAaaS end-to-end ArchitectureNextIn-App Help

Last updated