Last reviewed: 15 April 2026 (2026-04-15)
1. OUR COMMITMENT
Security is foundational to everything Pantera Digital does — not a feature we bolt on at the end. As a provider of Microsoft cloud services, we take explicit responsibility for the parts of the stack that sit with us, and we are transparent about the parts that are handled upstream by Microsoft under the shared-responsibility model.
This page describes, in plain language, the organisational and technical measures we apply. A deeper technical description is available on request under NDA.
2. GOVERNANCE
- A designated security lead is accountable for the security programme and reports to senior management.
- Written security policies are reviewed at least annually and whenever there is a material change to services, tooling, or applicable law.
- All staff are subject to confidentiality obligations in their employment or contractor agreements.
- Questions or reports can be sent to security@pantera-digital.com.
3. ORGANISATIONAL MEASURES
- Background screening of staff and contractors where permitted by law and proportionate to the role.
- Security and privacy training at onboarding and at least annually thereafter, plus role-specific training for staff with administrative access.
- Clear joiner / mover / leaver procedures, including prompt revocation of access when a person changes role or leaves.
- A documented risk register reviewed by management on a regular cadence.
4. TECHNICAL MEASURES
- Strong authentication. Multi-factor authentication (MFA) is required for all staff, on all administrative and productivity systems.
- Encryption in transit. TLS 1.2 or higher for all external traffic; internal service-to-service traffic encrypted where feasible.
- Encryption at rest. Provided by the underlying Microsoft services for customer data held on Microsoft platforms; provided by the platform for Pantera Digital's own operational data.
- Least-privilege access. Role-based access control; periodic access reviews; privileged access time-bound.
- Endpoint protection. Managed endpoint security on company devices, including disk encryption, anti-malware, and centralised policy enforcement.
- Patch management. Timely application of vendor security updates on systems we operate.
- Logging and monitoring. Structured logs of administrative actions, with retention calibrated to investigative need and legal obligation.
5. CUSTOMER TENANT ACCESS (GDAP)
When a customer engages us to deliver managed services or administrative support in their Microsoft 365 or Azure tenant, we use Granular Delegated Admin Privileges (GDAP) rather than the legacy Delegated Admin Privileges (DAP) model that Microsoft has deprecated. In practice this means:
- Access is scoped — we request only the Entra ID roles strictly needed for the engagement.
- Access is time-bound — each relationship expires automatically; extension requires re-authorisation.
- Access is revocable — the customer can terminate our GDAP relationship at any time from their own Partner Center controls.
- All actions we take in a customer tenant are logged in that tenant's audit log, visible to the customer.
6. SUB-PROCESSORS
When we process personal data on a customer's behalf we engage a limited set of sub-processors — primarily Microsoft for the cloud services the customer has purchased, plus a small number of operational providers (for example, hosting, email, and helpdesk platforms). A current list is available on request at privacy@pantera-digital.com, and our standard Data Processing Agreement (DPA) aligns with Article 28 GDPR and flows Microsoft's Product Terms through to customers.
7. INCIDENT RESPONSE
We maintain a documented incident-response runbook. In the event of a confirmed security incident affecting a customer, we:
- Contain and mitigate the incident as quickly as practicable.
- Notify the affected customer without undue delay.
- Where the incident involves a personal data breach, notify the competent supervisory authority within the 72-hour window set by Article 33 GDPR, and affected data subjects when required under Article 34.
- Conduct a post-incident review and implement improvements.
8. BUSINESS CONTINUITY
Our design is cloud-first, which gives us inherent geographic redundancy for the services we resell. For the Microsoft cloud services we deliver, we pass through the financially-backed Microsoft Online Services Service Level Agreements. Customer-specific service credits and availability commitments, if any, are defined in the customer's Master Services Agreement.
9. UPSTREAM CLOUD CONTROLS
Because we deliver Microsoft cloud services, a significant portion of the security, compliance, and data-residency controls is provided by Microsoft under its shared-responsibility model. Authoritative documentation — including SOC 2, ISO 27001, ISO 27018, and regional data-location guarantees — is maintained by Microsoft on its Microsoft Trust Center.
Pantera Digital does not hold third-party security certifications at this time; when we achieve any such certification, this page will be updated accordingly.
10. RESPONSIBLE DISCLOSURE
If you believe you have identified a security vulnerability in the Pantera Digital website or services, please contact security@pantera-digital.com. We commit to good-faith engagement with researchers who follow responsible-disclosure principles: investigation without public disclosure until a fix is in place, no data exfiltration beyond what is necessary to demonstrate the issue, and no disruption of service.
11. CONTACT