SEVERIAN
TECHNOLOGY GROUP
Privacy notice
Severian Technology Group is a Microsoft Purview consulting practice operated by Matthew Silcox. This notice explains what data we collect through this website, what we access during client engagements, and how that information is handled.
It is written to be read. Where the terms governing a specific engagement differ from this notice, the engagement Statement of Work and Non-Disclosure Agreement control.
Effective May 2026
What we collect
From this website
When you submit the contact form, we collect the name, email address, company, and message you provide. We also collect standard server-side analytics: pages viewed, referrer, browser type, and an approximate location derived from IP address.
From client engagements
Our engagements require access to your Microsoft 365 tenant. Under the admin consent you grant, we access Exchange Online mailbox content, SharePoint Online sites, OneDrive for Business storage, and Microsoft Teams data within the scope defined by the engagement.
The artifacts we generate from that access (scan result metadata, configuration documentation, written deliverables) are the only material that leaves the tenant boundary.
From the blog
Our blog is hosted on Ghost at severian.ghost.io. Email subscriptions, reading analytics, and any data collected through the blog platform are governed by Ghost's privacy policy, not this one.
How we use it
Contact form submissions are used to respond to your inquiry. Engagement data is used to produce the deliverables you have engaged us to produce. Website analytics are used in aggregate to understand traffic patterns and improve the site.
We do not sell personal data. We do not use advertising trackers. We do not share contact information with third parties for marketing purposes. We do not build behavioral profiles of website visitors.
Engagement data
Our consulting work (Purview Data Risk Assessments, Copilot Readiness Assessments, and Enterprise Purview Readiness engagements) requires access to your Microsoft 365 tenant. The terms below apply to that access.
Authority
We access tenant data only after explicit administrative consent has been granted by the customer. Access is scoped to the permissions the customer authorizes and limited to the duration of the engagement.
Scope
Access is restricted to the workloads required by the engagement, typically Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. We do not request, and do not retain, permissions beyond what the scope of work requires.
Retention
We do not retain customer tenant data after deliverable handoff. Engagement artifacts (written deliverables, scan result metadata, configuration documentation) are retained only as long as the engagement requires, then deleted on the schedule defined in the Statement of Work.
Egress
Raw mailbox or workload content is not exported from your tenant. Deliverables contain metadata and findings, not the underlying records.
The SIT Scanner
Severian operates a proprietary at-rest scanning tool that detects Sensitive Information Types (Social Security Numbers, credit card numbers, protected health information markers, and similar patterns) in Exchange Online mailbox content. The specifics of how it handles data are worth being explicit about.
The tool runs inside your tenant using the delegated or application permissions you have granted. Mailbox content is processed within tenant boundaries and is not transmitted to any system outside the tenant.
What we receive in the engagement deliverable is match metadata: the type of Sensitive Information Type matched, the count of matches, and the location (mailbox, folder, message identifier).
Raw mailbox content is never copied, exported, or stored on Severian-controlled infrastructure. Match metadata is retained only as long as the engagement requires.
Retention and deletion
Contact form submissions
Retained for twenty-four months unless the inquiry develops into a paid engagement, in which case retention follows the engagement schedule. Earlier deletion is available on request.
Engagement deliverables and scan metadata
Retained per the schedule defined in the engagement Statement of Work. The customer may request deletion at or after engagement close.
Tenant access
Administrative consent is the customer's to revoke at any time. As a standard practice, we revoke our own access at engagement close.
Website analytics
Aggregated traffic data is retained for fourteen months.
Deletion requests for any data we hold can be sent to privacy@severiansecurity.com.
Vendors and cookies
Third-party services
Our business operations rely on a small set of vendors: Microsoft 365 and Azure for engagement workloads and business communication, Ghost for blog hosting, and standard infrastructure providers for the website itself.
Vendors that handle engagement data operate under contracts that flow down the customer's regulatory obligations. Specific subprocessors involved in a given engagement are documented in the engagement Data Processing Agreement.
Cookies
This website uses only the cookies required for the site to function. No advertising cookies, no cross-site tracking, no behavioral profiling. The site continues to work if cookies are disabled in your browser.
Regulatory context
Our customers operate under HIPAA in healthcare, GLBA in financial services, CMMC in government and defense, and the disclosure regimes that govern the nonprofit and professional services sectors. Our data handling practices during engagements are designed to align with the compliance frameworks we help customers implement.
Customers subject to specific regulatory frameworks should reference their engagement Statement of Work and Non-Disclosure Agreement for the data handling terms that govern their particular engagement. Those documents control where they differ from this notice.
Contact
Questions about this notice, requests to access or delete information we hold about you, or anything else privacy-related can be sent to the address below.