Security

Designed for restricted environments.

TangleMap is built around local collection and controlled handoff because many Microsoft BI estates cannot expose broad metadata access to an external SaaS tool.

Local collection

The collector runs inside the client environment from an approved host or jump box.

Least privilege

Read-only access is preferred. Partial scans still produce value when permissions are limited.

Encrypted handoff

The MVP/pilot flow uses a password-encrypted evidence bundle for controlled transfer.

No secrets required

Secrets are not needed in the assessment output. Sensitive values are redacted or omitted.

Client-controlled context

Configs, local logs, and local execution context remain client-controlled unless explicitly shared.

Analyst-local tools

The current web/API surfaces are local analyst tooling, not a hosted multi-tenant portal.

MVP security caveat

Password-based bundle encryption is appropriate for bounded pilot handoff when handling is controlled. Final enterprise key management, hosted identity, tenant isolation, audit logging, and export authorization are later productization decisions.

Next step

Need to review the security model?

Use a walkthrough to discuss collector placement, access model, bundle handoff, and what does not leave the client environment.