Home / Security
Security architecture

How your data moves — and why it can't leak.

Secrets in Azure Key Vault and managed identity — no standing credentials in the application. Permissions captured on the way in, enforced on the way out.

Your systems

Each doc keeps its native ACL

OAuth 2.0 · least-privilege · TLS in transit.

Secure ingestion

Delta sync — no bulk copies

PII redacted · ACLs attached · AES-256 at rest (BYOK).

Governed knowledge

Encrypted index, ACLs indexed

Hash-chained ledger records every ingest, read, export & disposition.

People & AI agents

Only what they're entitled to

SSO identity · permission-aware retrieval · DLP at egress.

What no one else does: ACLs travel with every document and are enforced at query time — sensitive content is redacted on the way in and blocked at egress. Your knowledge is never flattened, co-mingled, or exposed beyond its source permissions.

Controls

Defense in depth, end to end.

Identity & access

OAuth 2.0 connections, least-privilege scopes, SSO, and permission-aware retrieval against your live directory.

Native ACL preservation

Source permissions travel with each document and are enforced at query time — never flattened.

Encryption & keys

TLS in transit, AES-256 at rest, BYOK in your own Key Vault, and managed identity with no standing credentials.

DLP at egress

Sensitive data detected and blocked, justified, or redacted at the moment it tries to leave.

Tamper-evident ledger

Every ingest, read, export, and disposition is hash-chained and independently verifiable.

Sovereign deployment

Azure-native, deployable to your own cloud or on-prem, with an air-gapped option and data residency pinning.

Model-agnostic & air-gapped. Embedding and LLM providers are pluggable. Run fully self-hosted with on-prem inference and zero external calls — built for government, defense, energy, and the most regulated enterprises, whose data never has to leave their boundary.
Search

One query, every system, permission-scoped

A single search runs keyword and semantic retrieval together across SharePoint, OneDrive, Box and the rest — the same answer no matter where the file lives. Results are scoped to each user's permissions, and sensitive fields like SSNs and phone numbers are redacted before they're ever shown.

Fileport product — One query, every system, permission-scoped

Put your security team in the driver's seat.

We'll walk your architecture, identity, and residency requirements and show exactly how Fileport enforces them.

Book a demo