Security

Athena is a suite of SharePoint Framework (SPFx) webparts, built on SPFx 1.21.1. You install it as a single .sppkg package into your Microsoft 365 tenant app catalog. From that point on it runs entirely inside your tenant.

There is no separate Athena server, no external hosting, no Azure functions of ours, and no third-party SaaS layer sitting between your staff and their content. When a webpart needs to store something, such as a noticeboard post, a knowledge base article, or an org chart entry, it provisions and uses a standard SharePoint list inside your own site. That content is your content, held in your tenant.

The practical effect is straightforward. No customer data leaves the tenant boundary. We do not receive it, store it, or process it in the ordinary course of running the software. Athena inherits the security, compliance, data residency, and governance posture you have already set up in Microsoft 365, rather than introducing a new place for your data to sit.

Because everything runs in your tenant, the controls you rely on across Microsoft 365 continue to apply to Athena without any extra work:

• Identity and access. Users sign in with their existing Microsoft 365 accounts. Athena does not have its own login, its own password store, or its own user directory. Your Conditional Access, multi-factor authentication, and identity policies apply as normal.
• Permissions. Athena respects SharePoint permissions. People see what their site and list permissions allow them to see, and nothing more. Audience targeting in the webparts narrows visibility further, it never widens it.
• Data residency and compliance. Your tenant's geography, retention policies, eDiscovery, Microsoft Purview controls, and audit logging all cover Athena content, because that content is ordinary SharePoint data.
• Backup and recovery. Athena content is covered by whatever backup and retention you already run for SharePoint.

In normal operation we have no access to your tenant or your data. We cannot read your noticeboard, your articles, or your users.

If you ask us for help with a problem and we need to see something inside your environment, that only happens when you choose to grant access or share it with us, for example in a screen share or by adding us to a site for a defined period. We will agree the scope with you first, and you can remove that access at any time. If a piece of support work means we would handle personal data on your behalf, we can put a data processing agreement in place. Just ask.

We keep the product itself secure through disciplined engineering. The .sppkg package you install is built from our own source and runs within the SPFx security model, which sandboxes client-side code and limits what an app can do in the tenant. Athena requests only the permissions it needs to function, and any required API permissions are visible to your administrators for approval at install time, so nothing is granted without your sign off.

We keep dependencies up to date, review code changes before release, and test before we publish a new version. Updates are delivered as new package versions that your administrators choose to deploy.

The marketing and sales side of Athena is separate from the product, and we secure it too.

Our website is served over HTTPS through Cloudflare, which hosts the site and provides TLS encryption, content delivery, and protection against denial-of-service and other common attacks.

Payments are handled entirely by Stripe, a PCI DSS Level 1 certified payment provider. We never see or store full card numbers; that data goes directly to Stripe.

For our own business data, such as enquiries, customer records, and support correspondence, we use Microsoft 365 with access limited to the people who need it, multi-factor authentication on accounts, and the principle of least privilege. The Privacy Policy explains what we hold and why.

If you think you have found a security issue in Athena or on our website, please tell us so we can fix it. Email [email protected] with the details and steps to reproduce it. We will acknowledge your report, investigate, and keep you updated.

Please give us a reasonable chance to resolve the issue before sharing it publicly, and please do not access, change, or delete data that is not yours, or disrupt our services, while testing. We are a small team and we are grateful to anyone who reports a problem responsibly.

For anything about security or compliance, including help with a vendor security review or a data processing agreement, email [email protected].