Lightning Tools products are designed to run within the customer’s Microsoft 365 tenant, ensuring that no product-related data is stored or processed by Lightning Tools directly. This “zero-custody” model significantly reduces risk and enhances data sovereignty.
Customer data is accessed securely using Microsoft Graph API and SharePoint REST APIs, and resides exclusively within Microsoft 365.
Secure Development Lifecycle (SDLC)
We follow a secure software development lifecycle that includes:
-
Internal code reviews based on OWASP Top 10
-
Secure coding practices and role-based access controls
-
Integration of security testing into CI/CD pipelines
-
Periodic review and improvement based on ISO 27001 standards
Penetration Testing
We work with third-party cybersecurity provider BulletProof to conduct:
-
Bi-annual penetration testing of our public-facing website
-
Regular testing of our Microsoft 365 CDN assets used to deliver product components
Identified risks are addressed immediately and prioritized for remediation.
Minimal Infrastructure Footprint
We do not host customer data on our own infrastructure. Lightning Tools maintains only a license key linked to the customer’s Tenant ID for validation and support purposes.
ISO 27001 & ISO 9001 Certified
We are certified in both:
-
ISO/IEC 27001:2022 – Information Security Management
-
ISO 9001:2015 – Quality Management
Issued by Citation in April 2023 and April 2024, these certifications demonstrate our commitment to excellence in secure, high-quality software development and operational processes.
GDPR & Data Protection
We comply with the UK Data Protection Act 2018 and General Data Protection Regulation (GDPR). We apply the principles of data minimization, secure storage, access controls, and transparency in all business operations.
We only collect essential business information (e.g., name, company, contact details) for licensing, billing, and support. No product-related customer data is collected or stored by Lightning Tools.
Supporting Your Compliance
Our solution DeliverPoint helps customers stay compliant by offering:
-
SharePoint and Microsoft Teams permission auditing
-
Reporting on external sharing
-
Scheduling of automated governance reports
What We Collect
We collect personal and company data necessary for business operations:
-
Name, company, job title
-
Email and phone number
This data is collected through license registrations, support forms, and product inquiries.
Why We Collect It
We use this information for:
-
Licensing and subscription management
-
Customer onboarding and support
-
Marketing communications (opt-in only)
-
Billing and payment
We do not access or collect product usage data or content stored within customer tenants.
Third-Party Services
We use the following third-party services:
-
HubSpot – CRM, customer support, and email marketing
-
Stripe – Secure billing and payment processing
-
Microsoft 365 – Internal communication and collaboration
These services are carefully vetted to ensure they meet privacy and security standards.
Internal Oversight
Our data privacy is managed by a cross-functional team:
-
Chief Technology Officer (CTO)
-
Chief Information Security Officer (CISO)
-
Data Protection Officer (DPO)
Data Access & Removal
You may request a copy of your data or ask us to delete it by contacting:
Hosted in Your Tenant
Our products are deployed using SharePoint Framework (SPFx) directly into the customer’s Microsoft 365 tenant. All data, such as list items or documents, remains fully under the customer’s control and within their Microsoft 365 environment.
Microsoft 365 CDN
We use the Microsoft 365 CDN to deliver product assets. This allows fast, secure, and scalable delivery without storing customer data.
Minimal Data Storage
The only data stored externally is:
-
A license key linked to the customer’s Tenant ID
We do not store customer content, configurations, or metadata on our infrastructure.
Forms Studio Scheduled Actions
For Lightning Tools Forms Studio, Scheduled Actions are processed in our Azure environment securely. No customer content is stored—only the automation configuration is executed per tenant.
Data Sovereignty & Isolation
Customers retain full control over data residency through their Microsoft 365 tenant configuration. Our solutions are single-tenant in design, ensuring complete isolation between customers.
Our Commitment
We maintain an active Incident Response Policy to quickly detect, investigate, and respond to security incidents. Any potential threat is assessed immediately, with a focus on transparency and customer protection.
Customer Notification
In the event of a breach that impacts customer systems or data, we notify affected customers via email with full details and remediation steps.
Logging & Auditing
We maintain audit logs related to:
-
Licensing and activation
-
Support access
-
Security-related system events
These logs assist in proactive detection and root-cause analysis.
Continuous Improvement
We conduct post-incident reviews to prevent recurrence and to improve our internal processes continuously.
Service Level Agreement (SLA)
We offer SLAs for response times based on customer support tiers and treat any security-related inquiry with priority urgency.
Reporting Security Issues
Security researchers and customers are encouraged to report concerns via:
We follow a responsible disclosure policy and handle all reports seriously and confidentially.