Trust, by architecture
StratoLens is self-hosted by design. It runs inside your own Azure tenant, so your resource, cost, and activity data never leaves your control.
Your data stays in your tenant
StratoLens deploys inside your own Azure subscription. Your resource, cost, and activity data never leaves your control.
Least-privilege access
Scans run under an identity you control, using read-only Azure roles. There is no standing vendor access to your environment.
Transparent telemetry
Only minimal license-validation data is transmitted. Usage metrics can be disabled, and user identifiers are hashed.
Data Sovereignty & Self-Hosted Architecture
StratoLens deploys as an Azure Managed Application inside your own Azure subscription. Every scan runs within your tenant, and the data it produces stays there.
- Your Azure resource inventory, cost data, activity logs, access reports, and compliance evidence never leave your tenant.
- There is no inbound path from StratoLens into your environment — we cannot reach your resources.
- You own and control the infrastructure StratoLens runs on, governed by your existing Azure controls and policies.
Why this matters: For regulated and security-conscious teams, keeping sensitive infrastructure data inside your own boundary removes an entire class of third-party data-exposure risk.
Application Security
Because StratoLens runs in infrastructure you control, the runtime attack surface is governed by your own Azure security posture — network controls, identity, and policy all remain yours.
- All communication with StratoLens services (license validation and any usage telemetry) is encrypted in transit over TLS/HTTPS.
- StratoLens is built with secure development practices and routine dependency maintenance.
- Updates are delivered automatically in the app, and automatic updates can be disabled.
Access & Permissions Model
StratoLens follows the principle of least privilege. It reads only the Azure metadata it needs to do its job — nothing more.
- Scans run under an identity you provision and control, using read-only Azure roles.
- As the vendor, we have no standing access to your environment — access lives entirely within your tenant.
- Access to the StratoLens application itself is governed by role-based access control.
See the installation guide for the exact Azure roles StratoLens requests.
Privacy & Data Handling
The only data the application transmits to StratoLens is what we need to validate your license — plus optional usage metrics that help us improve the product and can be disabled at any time.
- License-validation data (such as an anonymous installation ID, tenant ID, and resource counts) is sent after each scan.
- Usage and error metrics are optional and can be disabled at any time in Settings > General > Privacy & Data Sharing.
- Where user activity is shared, identifiers are SHA-256 hashed and truncated — not reversible to a real identity.
What we never collect
- Azure resource names, IDs, or configurations
- Subscription names or identifiers
- Credentials, secrets, or authentication data
- Cost amounts or billing data
- Activity log content
- Policy findings or security configurations
Full details are in the Application Privacy Policy. For data collected through this website, see the Website Privacy Policy.
Subprocessors
Responsible Disclosure
We welcome reports from security researchers. If you believe you have found a security vulnerability in StratoLens or this website, please tell us so we can address it.
- Email contact@strato-lens.com with details and steps to reproduce.
- Please give us a reasonable opportunity to investigate and remediate before any public disclosure.
- Act in good faith, avoid privacy violations and service disruption, and only test against assets you are authorized to test.
We will not pursue or support legal action against researchers who report vulnerabilities in good faith and in line with this policy.