Fabric Workload Compliance Attestation

AES ETL Control Panel for Microsoft Fabric

Publisher: Assurance eServices
Workload Name: AssuranceEServices.AESETLPanel
Version: 3.8
Last Updated: April 28, 2026

---

This information pertains to the Assurance eServices AES ETL Control Panel workload that is published to the Microsoft Fabric platform. Contained within this documentation are declarations of data usage, compliance standards, and operational characteristics within the workload.

We, the vendor, Assurance eServices (AES), confirm and attest to reviewing, meeting and complying with the requirements outlined in the Microsoft Fabric Extensibility Toolkit, specifically the Publishing Requirements located at the Microsoft Official Workload Documentation page.

The following sections document details, exceptions, or variances regarding the attestation of adherence to the Publishing Requirements.

---

🔒 Data Collection Summary

Assurance eServices (AES) collects and stores ONLY 7 operational identifiers:

Data Point	Purpose	Storage Location
tenantId	Identify Microsoft Fabric tenant	AES secure databases
workspaceId	Identify workspace	AES secure databases
graphqlitemId	Identify pipeline item	AES secure databases
JobCount	Track job count	AES secure databases
JobStepCount	Track job step count	AES secure databases
LastJobAuditID	Track last audit ID	AES secure databases
LastJobStepAuditID	Track last step audit ID	AES secure databases

What AES does NOT collect:

• ❌ Personal information or user identities
• ❌ Pipeline configurations or job definitions
• ❌ Execution logs or diagnostic telemetry
• ❌ Performance metrics or detailed analytics
• ❌ Error messages or debugging data
• ❌ Any pipeline data or business content

Customer-Controlled Data:

• ✅ Pipeline configurations stored in customer’s OneLake
• ✅ Job definitions stored in customer’s Fabric items
• ✅ Execution logs (if enabled) written to customer’s Lakehouse
• ✅ Performance metrics (if enabled) stored in customer’s OneLake

See Privacy Policy for complete details.

---

Business Requirements

1. Value To Customers

The AES ETL Control Panel provides the following value to customers:

This workload enables enterprises to configure, monitor, and orchestrate comprehensive data pipelines within Microsoft Fabric through an intuitive, no-code interface. Organizations implementing AES Fabric WTL through Fabric data platforms benefit from:

• Simplified Pipeline Configuration: Data-driven, plug-and-play ETL/ELT framework eliminating hard-coded dependencies
• Multi-Source Data Movement: Support for on-premises SQL Server, API data files, Spark SQL, and Fabric Warehouse to Lakehouse integration
• Advanced Change Data Capture: Built-in support for Type 1, Type 2, and Type 2 with date-partitioning for slowly changing dimensions
• Centralized Orchestration: Complete pipeline lifecycle management including scheduling, monitoring, and job management
• Environment Agnostic: Configuration-based approach with dynamic variable management for seamless cross-environment deployment

2. Trial

[ X ] Yes

The AES ETL Control Panel offers a comprehensive evaluation experience. Upon installation, users can immediately access all features with sample configurations and test data pipelines. The trial provides full functionality for evaluation purposes in accordance with Microsoft guidelines for trials.

3. Monetization

Bring Your Own License (BYOL)

The workload is available through direct licensing with Assurance eServices. Organizations can contact our sales team at sales@assuranceeservices.com for licensing options. The workload requires a valid license key for production use beyond the evaluation period.

---

Technical Requirements

1. Microsoft Entra Access

[ X ] The workload uses Microsoft Entra authentication and authorization exclusively

• Entra App ID: 74967d47-b945-468e-90d3-0637a7855ed8
• Authentication: All authentication is handled through Microsoft Entra (Azure AD) using the Fabric Workload Client SDK
• No Additional Auth: The workload does not use or require any additional authentication mechanisms

Data Storage Clarification:

• Pipeline configurations and job definitions are stored in your Fabric item definitions and OneLake storage
• AES collects and stores ONLY 7 operational identifiers in AES databases: tenantId, workspaceId, graphqlitemId, JobCount, JobStepCount, LastJobAuditID, LastJobStepAuditID
• No execution logs, user data, or authentication credentials stored by AES
• The workload does not maintain separate user authentication systems

2. OneLake

[ X ] All data and metadata is stored in OneLake or Fabric Data Stores

Customer-Controlled Storage:

• Pipeline configurations, job definitions, and task metadata are stored in your OneLake using the Fabric item storage model
• All user-generated content is persisted to OneLake Lakehouse instances configured by you
• Data residency within your Fabric capacity

AES-Collected Data (Minimal):

• AES collects ONLY 7 operational identifiers stored in AES databases
• Identifiers: tenantId, workspaceId, graphqlitemId, JobCount, JobStepCount, LastJobAuditID, LastJobStepAuditID
• These enable pipeline state tracking and job orchestration
• No execution logs, telemetry, or configuration data collected by AES

3. Microsoft Entra Conditional Access

[ X ] The service works in its entirety even if customers enable this functionality

No limitations exist. The workload fully supports Microsoft Entra Conditional Access policies including multi-factor authentication, location-based access, and device compliance requirements.

4. Admin REST API

[ X ] Microsoft Fabric Admin APIs are being leveraged (/admin/*)

The workload utilizes Fabric Admin APIs for workspace and item discovery, enabling administrators to manage and govern AES ETL Control Panel items across their organization.

5. Customer Facing Monitoring & Diagnostic

[ X ] Minimum 30 days requirement is adhered to
[ ] Vendor stores the data for additional days beyond the minimum requirement

Data Collection by AES:

• AES collects and stores ONLY 7 operational identifiers in AES databases
• Identifiers: tenantId, workspaceId, graphqlitemId, JobCount, JobStepCount, LastJobAuditID, LastJobStepAuditID
• Retained for duration of service use plus 90-day grace period
• NO execution logs, activity IDs, or diagnostic telemetry collected by AES

Customer-Managed Monitoring:

• Pipeline execution logs and monitoring data can be written to your OneLake Lakehouse (customer-controlled)
• Retention policies for customer-managed data are controlled by your OneLake configuration
• AES does not collect, access, or store this customer-managed monitoring data

6. B2B

[ X ] Cross tenant B2B collaboration supported

The workload supports Fabric’s B2B sharing strategy. Pipeline configurations and monitoring dashboards can be shared with external users following Fabric’s standard sharing model. External users can view pipeline status and access shared Lakehouse data according to workspace permissions.

7. Business Continuity and Disaster Recovery

[ X ] Comprehensive BCDR plan implemented

BCDR Strategy:

• Frontend Hosting: Azure Static Web Apps with global distribution and automatic failover
• AES Data Resilience: 7 operational identifiers stored in AES databases with automated backups and redundancy
• Customer Data Resilience: Pipeline configurations and metadata stored in customer-controlled OneLake with built-in redundancy
• Service Availability: 99.9% uptime SLA with automated health monitoring
• Disaster Recovery: Recovery Time Objective (RTO) of 4 hours, Recovery Point Objective (RPO) of 15 minutes
• Backup Strategy: AES database backups performed daily; OneLake automatic versioning protects customer data

See full BCDR documentation at: https://assuranceeservices.com/bcdr-policy

8. Performance

[ X ] Performance Metrics on workload performance are available via the monitoring hub
[ X ] Workload additionally includes a separate monitoring UI to test and track performance

Performance Monitoring:

• AES tracks basic operational metrics (JobCount, JobStepCount, LastJobAuditID, LastJobStepAuditID)
• Detailed pipeline execution metrics and logs can be written to customer’s OneLake (customer-controlled)
• Integration with Fabric Monitoring Hub for centralized visibility
• Customer-managed performance data includes: resource utilization, execution duration, bottleneck analysis
• AES does not collect or store detailed performance metrics or execution logs

9. Presence

[ X ] Service availability and colocation/alignment in the following fabric regions:

The workload frontend is hosted using Azure Static Web Apps with global distribution. The service automatically co-locates with customer’s Fabric capacity region. All data processing occurs within the customer’s selected Fabric capacity, ensuring data residency compliance.

Supported Regions: All Microsoft Fabric supported regions
Data Residency:

• Customer pipeline configurations and content remain within customer’s selected Fabric capacity region
• AES operational identifiers (7 data points) stored in regionally appropriate AES databases

10. Public APIs

[ X ] The workload uses Fabric Public APIs

The workload leverages Fabric Public APIs for:

• Workspace and item management
• OneLake storage operations
• Lakehouse table access
• Spark job submission and monitoring
• Capacity and resource management

---

Design / UX Requirements

1. Common UX

[ X ] The workload complies with Fabric UX guidelines

The workload adheres to Microsoft Fabric Fluent UI design system including:

• Fluent UI v9 components throughout the interface
• Consistent color schemes, typography, and iconography
• Standard Fabric navigation patterns
• Responsive design for various screen sizes

2. Item Creation Experience

[ X ] Yes

Item creation follows the standard Fabric item creation wizard pattern with guided configuration steps.

3. Monitoring Hub

[ X ] Yes

Long-running pipeline operations integrate with Fabric Monitoring Hub, providing visibility into:

• Pipeline execution status and progress
• Job progress and stages
• Basic operational metrics (job counts, audit tracking)
• Note: Detailed execution logs and diagnostics are customer-managed in OneLake (not collected by AES)

4. Trial Experience

[ X ] Trial Supported

The workload provides immediate trial access with sample pipelines and pre-configured data sources. Users can explore all features without time restrictions during the evaluation period.

5. Monetization Experience

[ X ] Bring Your Own License (BYOL)

Licensing is managed through direct engagement with Assurance eServices. License validation occurs during workload initialization.

6. Accessibility

[ X ] The user experience is completely compliant with the guidelines

The workload meets WCAG 2.1 Level AA accessibility standards including:

• Keyboard navigation support
• Screen reader compatibility
• High contrast mode support
• ARIA labels and semantic HTML
• Focus management and visual indicators

7. World Readiness / Internationalization

[ X ] English is the only supported language

Future releases will include localization for additional languages based on customer demand.

8. Item Settings

[ X ] Yes

Item settings are implemented as part of the ribbon following Fabric UX guidelines, including item properties, configuration, and metadata management.

9. Samples

[ X ] Samples for pre-configuration of items provided

The workload includes sample pipeline templates for common ETL scenarios:

• SQL Server to Lakehouse migration
• API data ingestion patterns
• Spark SQL transformation workflows
• Incremental load configurations

10. Custom Actions

[ X ] Custom Actions implemented as part of Workload

Custom ribbon actions provide quick access to:

• Pipeline execution and scheduling
• Data quality validation
• Configuration export/import
• Performance optimization tools

11. Workspace Settings

[ X ] Supported

Workspace-level settings enable centralized configuration for:

• Default Lakehouse connections
• Execution policies and resource limits
• Notification preferences
• Audit logging preferences (customer-managed in OneLake)

Note: Workspace settings are stored in customer’s Fabric workspace. AES only tracks operational identifiers for job orchestration.

12. Global Search

[ X ] Supported

AES ETL Control Panel items are searchable through Fabric’s global search, enabling users to quickly find pipeline configurations and job definitions.

---

Security / Compliance Requirements

1. Security General

[ X ] Security review and assessment completed and periodically performed

Security assessments are conducted quarterly with penetration testing performed annually. The workload undergoes continuous security monitoring and adheres to Microsoft’s Security Development Lifecycle (SDL) best practices.

Security Measures:

• All authentication via Microsoft Entra tokens using Fabric SDK
• No credential storage within the workload
• HTTPS-only communication
• Content Security Policy (CSP) enforcement
• Input validation and sanitization
• Protection against OWASP Top 10 vulnerabilities

2. Privacy

[ X ] Publisher attests that it is not using or relying on third-party cookies
[ X ] Publisher attests that it is obtaining any Microsoft Entra token using the JavaScript APIs provided by the Fabric Workload Client SDK

Privacy Commitment:

• AES collects ONLY 7 operational identifiers (tenantId, workspaceId, graphqlitemId, JobCount, JobStepCount, LastJobAuditID, LastJobStepAuditID)
• Stored in AES secure databases with AES-256 encryption
• No personal data, execution logs, or telemetry collected by AES
• No analytics or telemetry sent to third parties
• Compliance with GDPR, CCPA, and other privacy regulations
• Privacy by design principles throughout the application

Privacy Policy: https://assuranceeservices.com/privacy-policy

3. Data Residency

[ X ] Data residency guaranteed within customer’s Fabric capacity region

Data Residency Commitment:

• Customer Data: Pipeline configurations and content stored exclusively in customer-selected Fabric capacity region
• AES Data: 7 operational identifiers stored in regionally appropriate AES databases (compliance with data sovereignty requirements)
• No pipeline execution data or logs transferred outside customer’s designated geography
• Pipeline execution occurs within customer’s Fabric Spark compute
• Compliance with regional data sovereignty requirements

4. Compliance

[ X ] Publisher attests to the following security, data and compliance regulations and standards:

• SOC 2 Type II: Audit completed annually
• ISO 27001: Information security management certified
• GDPR: EU data protection regulation compliant
• CCPA: California privacy rights compliant
• HIPAA: Healthcare data handling capable (with customer BAA)
• Azure Compliance: Inherits compliance from Azure Static Web Apps hosting

Compliance documentation: https://assuranceeservices.com/compliance

---

Support

1. Live Site

Microsoft direct vendor outreach:

Contact Name/Team	AES Workload Support Team
Email alias	support@assuranceeservices.com
Support Portal	https://assuranceeservices.com/support
Emergency Contact	+1 (469) 664-5313 (24/7 for critical issues)

2. Supportability

[ X ] Vendor attests that support information is published to the marketplace offering and available to users/customers

Support Tiers:

• Community Support: Free access to documentation, forums, and knowledge base
• Standard Support: Business hours email support with 24-hour response time
• Premium Support: 24/7 support with 4-hour response time for critical issues
• Enterprise Support: Dedicated support engineer with custom SLA

Support Portal: https://assuranceeservices.com/support
Documentation: https://assuranceeservices.com/docs
Knowledge Base: https://assuranceeservices.com/kb

3. Service Health and Availability

[ X ] Service health dashboard available

• Primary Status Page: https://status.assuranceeservices.com
• Azure Status: https://azure.status.microsoft.com/en-us/status
• Incident History: https://status.assuranceeservices.com/history
• Uptime SLA: 99.9% availability commitment
• Status Notifications: Email and webhook alerts for service disruptions

---

Fabric Features

1. Application Life Cycle Management (ALM)

[ X ] Supported

Pipeline definitions and configurations support export/import for ALM scenarios. Integration with Fabric deployment pipelines enables promotion across development, test, and production environments.

2. Private Links

[ ] Not Currently Supported

Private Link support is planned for a future release. The workload currently requires public internet connectivity to Azure Static Web Apps hosting.

3. Data Hub

[ X ] Supported

AES ETL Control Panel items appear in the OneLake data hub when they contain data outputs. Customer-managed pipeline execution results stored in OneLake Lakehouse are discoverable through the data hub interface.

Note: AES does not collect or store pipeline execution results. All outputs are customer-managed in their OneLake.

4. Data Lineage

[ X ] Supported

The workload integrates with Fabric’s data lineage tracking. Pipeline data flows, source-to-target mappings, and transformation logic are visible in the lineage view, enabling impact analysis and data governance.

5. Sensitivity Labels

[ X ] Supported

The workload respects Microsoft Purview sensitivity labels on items and data. Pipeline configurations inherit sensitivity labels, and data operations honor label-based access controls. Export functionality respects sensitivity labels and prevents unauthorized data extraction.

---

Additional Notes

Architecture Overview

The AES ETL Control Panel is a Fabric-native workload that:

• Stores pipeline configurations in customer’s OneLake (Fabric item storage model)
• Collects ONLY 7 operational identifiers in AES databases for service operation
• Executes data pipelines using Fabric Spark compute within customer capacity
• Provides a browser-based management interface hosted on Azure Static Web Apps
• Integrates deeply with Fabric item model, monitoring, and security features

Data Flow

1. Configuration Storage: Pipeline definitions stored as Fabric item metadata in your OneLake
2. AES Data Collection: Only 7 operational identifiers transmitted to AES databases (tenantId, workspaceId, graphqlitemId, JobCount, JobStepCount, LastJobAuditID, LastJobStepAuditID)
3. Execution Engine: Spark jobs submitted to your Fabric capacity
4. Monitoring Data: Pipeline execution results can be written to your OneLake Lakehouse (customer-controlled, not collected by AES)
5. Data Boundary: All pipeline data processing occurs within your Fabric boundary

---

References

• Product Website: https://assuranceeservices.com/fabric-etl
• Documentation: https://assuranceeservices.com/docs/aes-etl-control-panel
• Support Site: https://assuranceeservices.com/support
• Privacy Policy: https://assuranceeservices.com/privacy-policy
• Terms of Service: https://assuranceeservices.com/terms-of-service
• BCDR Policy: https://assuranceeservices.com/bcdr-policy
• Compliance Portal: https://assuranceeservices.com/compliance
• Service Health: https://status.assuranceeservices.com
• Security Documentation: https://assuranceeservices.com/security

---

Document Version: 1.1
Effective Date: April 28, 2026
Next Review Date: October 28, 2026

For questions regarding this attestation, contact: compliance@assuranceeservices.com