> For the complete documentation index, see [llms.txt](https://docs.cloud-halo.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cloud-halo.io/trust-and-support/security-and-data-protection.md).

# Security and data protection

Cloud Halo is designed around read-only Azure access, workspace isolation, and least-privilege product roles.

## Azure access

Cloud Halo does not need permission to create, update, or delete Azure resources. The Azure permissions guide explains the read-only roles required for cost visibility and recommendations.

Use the narrowest Azure scope that matches your reporting needs. For many teams this is subscription scope.

## Workspace isolation

Customer data is organised by workspace. Users can only access workspaces where they are members, and sensitive actions require the appropriate workspace role.

MSP and consultancy users should create separate client workspaces to keep customer data, users, alert routing, and reports separated.

## Credentials

For Service Principal connections, Cloud Halo stores the client secret server-side and does not display it back in the browser after setup.

Rotate Azure credentials according to your organisation policy. If a secret is rotated in Azure, update the Cloud Halo connection before the old secret expires.

## Data handling

Cloud Halo uses Azure cost, subscription, tag, recommendation, and connection-health data to power dashboards, budgets, recommendations, allocation, reporting, and alerts.

See the Privacy Policy and DPA for legal terms covering personal data, processors, retention, and customer responsibilities.

## Security questions

For security reviews, contact <security@cloud-halo.io> or use the contact route provided by your Cloud Halo representative. Do not send secrets, client secrets, or access tokens by email.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.cloud-halo.io/trust-and-support/security-and-data-protection.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
