Privacy Policy
How Defender Analytics handles your data and why your security data never leaves your environment.
- Effective: February 20, 2026
- Zero Data Collection
- Microsoft Certified App
Your Data Stays in Your Environment Always.
Defender Analytics connects directly to your Microsoft Defender for Endpoint tenant via your own Azure App Registration. Brickclay never receives, transmits, stores, or processes your security data. All credentials and data remain exclusively within your organisation’s Microsoft tenancy.
About This Policy
1. About This Policy
This Privacy Policy applies to the Defender Analytics Power BI application developed and published by Brickclay (“we”, “us”, “our”). Defender Analytics is a free Power BI template app available on Microsoft AppSource that enables organisations to visualise and act on data from Microsoft Defender for Endpoint.
This Privacy Policy applies to the Defender Analytics Power BI application developed and published by Brickclay (“we”, “us”, “our”). Defender Analytics is a free Power BI template app available on Microsoft AppSource that enables organisations to visualise and act on data from Microsoft Defender for Endpoint.
Data We Do Not Collect
2. What We Do (and Don’t) Collect
Security & Endpoint Data Not Collected
Defender Analytics does not collect, receive, process, or store any of the following:
- Microsoft Defender for Endpoint alerts, incidents, or vulnerability data
- Service inventory, machine health scores, or exposure scores
- User identity information from your Active Directory or Azure AD
- Network topology, IP addresses, or security event logs
- Any data retrieved from the Microsoft Graph API or WindowsDefenderATP API
All data fetched via these APIs is transmitted directly between your Power BI workspace and your Microsoft Defender for Endpoint tenant. Brickclay is entirely outside this data path.
Credentials & Authentication Not Stored by Brickclay
To connect the app to your environment, you are required to create an Azure App Registration in your own Azure Active Directory. This generates a Client ID, Tenant ID, and Client Secret. These credentials:
- Are entered directly into your Power BI workspace parameters
- Are stored within your Microsoft Power BI / Azure environment only
- Are never transmitted to, viewed by, or stored by Brickclay
| Data Type | Collected by Brickclay? | Where It Lives |
|---|---|---|
| Defender security alerts & incidents | NOT COLLECTED | Your Microsoft tenant |
| Device & vulnerability data | NOT COLLECTED | Your Microsoft tenant |
| Azure App credentials (Client ID / Secret) | NOT COLLECTED | Your Azure App Registration |
| Power BI workspace data | NOT COLLECTED | Your Power BI tenant |
| Email address (contact opt-in) | OPTIONAL | Brickclay CRM (with consent) |
| Usage telemetry / analytics | NOT COLLECTED | N/A |
Contact & Communication (Optional)
If you choose to subscribe to product updates, request a trial licence, or contact us for support, we may collect your name, email address, and organisation name. This information is:
- Provided voluntarily by you — never captured automatically
- Used only to respond to your enquiry or send relevant product communications
- Never sold, licensed, or shared with third parties for marketing purposes
- Stored in Brickclay’s internal CRM with standard enterprise security controls
You may unsubscribe from communications at any time by emailing subscriptions@brickclay.com.
Authentication Architecture3. How Authentication & Data Flow Works
Understanding how Defender Analytics connects to your data is important for evaluating the privacy and security posture of the application. The architecture is designed to be zero-trust by default — your data never exits your Microsoft environment.
Contact & Communication (Optional)
If you choose to subscribe to product updates, request a trial licence, or contact us for support, we may collect your name, email address, and organisation name. This information is:
- Provided voluntarily by you — never captured automatically
- Used only to respond to your enquiry or send relevant product communications
- Never sold, licensed, or shared with third parties for marketing purposes
- Stored in Brickclay’s internal CRM with standard enterprise security controls
Step-by-Step Data Flow
Defender Analytics does not collect, receive, process, or store any of the following:
- You create an Azure App Registration in your own Azure Active Directory tenant.
- You grant that app registration the required Microsoft Graph and WindowsDefenderATP API permissions.
- You enter the App Registration’s Client ID, Tenant ID, and Client Secret into your Power BI workspace.
- Power BI uses these credentials to authenticate directly against Microsoft’s APIs — no Brickclay servers are involved.
- Microsoft returns security data exclusively to your Power BI workspace.
- Brickclay’s dashboards (the template app) visualise that data within your Power BI environment.
API Permissions Requested
The following Microsoft API permissions are required for the app to function. These are granted by your Global Administrator and remain scoped to your Azure tenant:
| API | Permission | Access Type |
|---|---|---|
| Microsoft Graph | Application.Read.All | Read-only |
| Microsoft Graph | SecurityAlert.Read.All | Read-only |
| Microsoft Graph | SecurityAlert.Read.All | Read-only |
| Microsoft Graph | SecurityAlert.Read.All | Read-only |
| Microsoft Graph | User.Read.All | Read-only |
| WindowsDefenderATP | Alert.Read.All | Read-only |
| WindowsDefenderATP | Alert.Read.All | Read-only |
| WindowsDefenderATP | Score.Read.All | Read-only |
| WindowsDefenderATP | Security Recommendation.Read.All | Read-only |
| WindowsDefenderATP | Software.Read.All | Read-only |
| WindowsDefenderATP | Vulnerability.Read.All | Read-only |
All permissions are read-only. Defender Analytics cannot write to, modify, or delete any data in your environment.
Third-Party Sharing4. Third-Party Sharing & Subprocessors
Brickclay does not sell, rent, share, or license your information to third parties. Because we do not collect security or operational data, there is no such data to share.
In the limited context of contact information collected through voluntary opt-in, we may use standard business tools (such as a CRM or email platform) to manage and respond to communications. These tools are bound by their own privacy policies and are used solely to manage the contact relationship — not for analysis, resale, or profiling.
Defender Analytics is distributed through Microsoft AppSource, which is governed by Microsoft’s own terms of service and privacy policy. Brickclay does not receive information about individual installations from Microsoft.
Data Security5. Data Security & Your Responsibilities
Because Defender Analytics operates within your own Microsoft environment, the security of your data is governed primarily by your organisation’s Microsoft security controls, Azure Active Directory policies, and Power BI governance settings.
Your Responsibilities
- App Registration Security: Treat the Client Secret generated during setup as a sensitive credential. Rotate it regularly according to your organisation’s credential management policy.
- Access Control: Use Power BI’s built-in role-based access control (RBAC) to restrict dashboard access to authorised personnel only.
- Licence Management: Ensure only users with appropriate clearance can view sensitive security dashboards.
- Secret Rotation: When a Client Secret expires or is rotated, update the Power BI data source credentials accordingly to maintain uninterrupted access.
Brickclay’s Commitments
- We do not create backdoors, remote access mechanisms, or telemetry within the application.
- We publish app updates through Microsoft AppSource’s controlled update process.
- We never request credentials or sensitive data via email, phone, or any channel outside the official setup flow.
Cookies & Tracking
6. Cookies & Tracking
The Defender Analytics Power BI application itself does not use cookies or any tracking technology. It is a Power BI template app — not a web application — and operates entirely within the Microsoft Power BI platform.
If you visit the Brickclay website (brickclay.com), standard web analytics tools may be in use in accordance with our site-wide privacy policy. Those tools are separate from the Defender Analytics application and are governed by Brickclay’s website privacy practices.
Eligibility7. Eligibility & Enterprise Use
Defender Analytics is an enterprise security analytics product intended for use by organisations, security teams, and IT professionals with Microsoft Defender for Endpoint licences. It is not intended for use by individuals under 18 years of age, and we do not knowingly collect information from minors.
By installing and configuring the application, the individual doing so represents that they have the authority to create Azure App Registrations and grant API permissions on behalf of their organisation.
Changes to This Policy8. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the application, applicable law, or our practices. When we make material changes, we will update the effective date at the top of this page.
We encourage you to review this page periodically. Your continued use of Defender Analytics after changes are posted constitutes your acceptance of the updated policy. If you have concerns about any changes, please contact us before continuing use.
Contact Us9. Contact Us
If you have questions about this Privacy Policy, want to exercise any data rights, or need to unsubscribe from communications, please reach out:
- Email: subscriptions@brickclay.com
- Company: Brickclay
- Product: Defender Analytics Power BI App
We aim to respond to all privacy-related enquiries within 5 business days.