Security

Our security principle: BYON

SpendWeave is designed around a Bring-Your-Own-Network (BYON) principle: your Microsoft Fabric telemetry never transits our infrastructure. This is not a privacy marketing claim — it is a structural architectural constraint that eliminates an entire class of data-breach risk.

Free Audit: 100% client-side

The free CSV audit runs entirely in your browser:

• The CSV file is parsed by a WebAssembly-safe JavaScript engine running in your browser tab
• No bytes of the CSV are transmitted to any server — including ours
• The computed result (aggregated metrics only) is held in sessionStorage for the report page handoff, then discarded on tab close
• You can verify this by opening DevTools → Network before running an audit: zero outbound requests are made during parsing

SpendWeave Monitor: delegated OBO tokens

The Monitor uses Azure Entra ID On-Behalf-Of (OBO) delegated authentication:

• Tokens are scoped to your tenant and issued by your Azure AD — we never receive your Fabric admin or workspace credentials
• Tokens carry only the permissions you grant during the OAuth consent flow (read-only Capacity Metrics APIs by default)
• Our control-plane API uses the token to read telemetry on your behalf and immediately writes it to a customer-owned Azure Data Explorer (Kusto) database in your subscription — nothing is stored in SpendWeave's cloud
• Tokens are short-lived and refreshed via standard MSAL silent-auth; we store no refresh tokens server-side

No central telemetry vault

SpendWeave operates no central database of customer capacity telemetry. The only data that ever reaches our infrastructure is your email address and aggregated audit summary metrics (which you choose to share when unlocking the report). There is no "our database" that, if breached, would expose your Fabric spend data — because that data never enters our systems.

Transport & application security

• TLS 1.2+ enforced on all SpendWeave origins (spendweave.com, api.spendweave.com, app.spendweave.com) via Cloudflare
• Content Security Policy: script-src 'self' blocks inline script injection; connect-src is allowlisted to our own API and Microsoft login endpoints only
• X-Content-Type-Options: nosniff and X-Frame-Options: DENY on all responses
• Referrer-Policy: no-referrer to prevent leaking Fabric tenant metadata in referer headers
• HSTS via Cloudflare edge

Responsible disclosure

If you discover a security vulnerability in SpendWeave please report it responsibly to [email protected] with subject line "Security disclosure". We aim to acknowledge reports within 48 hours and resolve critical issues within 7 days. We do not currently operate a paid bug-bounty programme but we will credit researchers with their consent.