COMPLIANCE

COMPLIANCE PORTAL

AES ETL Control Panel for Microsoft Fabric

Publisher: Assurance eServices Inc.
Last Updated: April 28, 2026

Our Commitment to Compliance

At Assurance eServices, we recognize that trust is earned through transparency, accountability, and demonstrated commitment to the highest standards of security, privacy, and compliance. This Compliance Portal provides comprehensive information about our certifications, policies, and practices that protect your data and ensure regulatory compliance.

Core Principles:

  • Security First: Enterprise-grade security controls protecting your data
  • Privacy by Design: Minimal data collection, maximum customer control
  • Regulatory Compliance: Meeting global standards and regulations
  • Transparency: Clear documentation of our practices and commitments
  • Continuous Improvement: Regular audits, assessments, and enhancements

Data Collection Transparency

Minimal Data Collection by AES

AES collects and stores ONLY 7 operational identifiers in AES secure databases:

Data PointPurposeStorageContains Personal Data?
tenantIdIdentify your Fabric tenantAES Database (AES-256)No
workspaceIdIdentify workspaceAES Database (AES-256)No
graphqlitemIdIdentify pipeline itemAES Database (AES-256)No
JobCountTrack job countAES Database (AES-256)No
JobStepCountTrack job step countAES Database (AES-256)No
LastJobAuditIDTrack last audit IDAES Database (AES-256)No
LastJobStepAuditIDTrack last step audit IDAES Database (AES-256)No

Retention: Active service + 90-day grace period after termination
Deletion: Automatic deletion after grace period, or immediate upon request

Your Data Remains in Your Control

Customer-Controlled Data (Your OneLake):

  • ✅ All pipeline configurations and job definitions
  • ✅ All business data processed by your pipelines
  • ✅ Execution logs (if you enable them)
  • ✅ User preferences and settings
  • ✅ Performance metrics (if you enable them)
  • ✅ Complete control over retention, backup, and deletion

What AES Does NOT Collect:

  • ❌ User identities, names, emails, or personal information
  • ❌ Execution logs, telemetry, or performance metrics
  • ❌ Pipeline configurations or business data
  • ❌ Authentication credentials or error messages
  • ❌ Browsing history or activity data
  • ❌ Location data or device identifiers

Separation of Responsibilities:

  • AES Role: Frontend service delivery, minimal operational tracking (7 identifiers)
  • Your Role: Complete control of all pipeline data, configurations, and business information in your OneLake
  • No Overlap: AES cannot access your OneLake data; you cannot access AES operational databases

See our complete Privacy Policy for details.

Certifications and Standards

Industry Certifications

SOC 2 Type II

Status: ✅ Certified
Audit Frequency: Annual
Trust Service Criteria:

  • Security
  • Availability
  • Confidentiality

Latest Audit: January 2026
Next Audit: January 2027

SOC 2 Type II attestation demonstrates our commitment to maintaining robust internal controls for security, availability, and confidentiality. Our annual audit is conducted by an independent CPA firm and validates our operational effectiveness over a 12-month period.

Report Availability: SOC 2 reports are available to customers under NDA. Request through: compliance@assuranceeservices.com

ISO 27001:2013

Status: ✅ Certified
Certificate Number: [Certificate Number]
Issue Date: March 2025
Valid Until: March 2028

Certification Scope:

  • Information Security Management System (ISMS)
  • Development and operation of AES ETL Control Panel workload
  • Customer data protection and privacy

ISO 27001 certification demonstrates our systematic approach to managing sensitive company and customer information. Our ISMS includes people, processes, and IT systems applying a risk management process.

Annual Surveillance Audits:

  • First Surveillance: March 2026 ✅
  • Second Surveillance: March 2027 (Scheduled)
  • Recertification: March 2028 (Scheduled)

Certificate Availability: ISO 27001 certificate available upon request: compliance@assuranceeservices.com

Regulatory Compliance

GDPR (General Data Protection Regulation)

Status: ✅ Compliant
Scope: European Union and EEA

Key Compliance Measures:

  • Data minimization and purpose limitation (only 7 operational identifiers collected by AES)
  • Lawful basis for processing (legitimate interest for service operation)
  • Data subject rights implementation (access, rectification, erasure, portability)
  • Privacy by design and default (minimal data collection architecture)
  • Data Protection Impact Assessments (DPIA) completed
  • Breach notification procedures (72-hour requirement)
  • Data Processing Agreement (DPA) available
  • Clear separation: Customer data (OneLake) vs. AES operational data (7 identifiers)

GDPR Rights Support:

  • Right to Access: Export of 7 operational identifiers stored by AES; full customer data access via OneLake
  • Right to Rectification: Update identifiers or customer OneLake data
  • Right to Erasure: Delete 7 identifiers from AES databases; customer manages OneLake data deletion
  • Right to Data Portability: Export operational identifiers; standard export formats for OneLake data
  • Right to Object: Object to processing of operational identifiers (may limit service functionality)
  • Right to Restriction: Request processing limitation for operational identifiers

EU Representative: [EU Representative Name/Company] (if applicable)
Data Protection Officer: dpo@assuranceeservices.com

Privacy Policy: Privacy Policy

CCPA (California Consumer Privacy Act)

Status: ✅ Compliant
Scope: California, United States

Key Compliance Measures:

  • Consumer rights disclosure and implementation
  • No sale of personal information (confirmed)
  • Right to know: Data collection transparency
  • Right to deletion: Complete data removal
  • Right to opt-out: Not applicable (no data sale)
  • Non-discrimination: Equal service regardless of rights exercise

CCPA Categories of Information Collected by AES:

AES collects and stores ONLY 7 operational identifiers in AES secure databases:

Data PointPurposeCategory
tenantIdIdentify your Fabric tenantIdentifier
workspaceIdIdentify workspaceIdentifier
graphqlitemIdIdentify pipeline itemIdentifier
JobCountTrack job countService Usage
JobStepCountTrack job step countService Usage
LastJobAuditIDTrack last audit IDService Usage
LastJobStepAuditIDTrack last step audit IDService Usage

Storage: AES secure databases (AES-256 encrypted), separate from customer OneLake

What AES Does NOT Collect:

  • ❌ Personal information (names, emails, addresses)
  • ❌ User identities from Microsoft Entra ID
  • ❌ Commercial information or transaction history
  • ❌ Internet activity, browsing history, or search history
  • ❌ Geolocation data
  • ❌ Professional information (job titles, company details)
  • ❌ Execution logs or performance telemetry
  • ❌ Pipeline configurations or business data

Customer-Controlled Data (Your OneLake):
All pipeline configurations, business data, and execution logs (if enabled) remain in your OneLake storage under your complete control. AES does not collect, access, or store this data.

Consumer Rights Request: privacy@assuranceeservices.com

Privacy Policy: Privacy Policy

HIPAA/HITECH

Status: ✅ Capable (with Business Associate Agreement)
Scope: United States Healthcare

HIPAA Compliance Measures:

  • Administrative Safeguards: Policies, procedures, training
  • Physical Safeguards: Inherited from Azure infrastructure
  • Technical Safeguards: Encryption, access controls, audit logging
  • Organizational Requirements: BAA available

Business Associate Agreement (BAA):
Available for healthcare customers requiring HIPAA compliance. The BAA establishes responsibilities for Protected Health Information (PHI) handling.

Request BAA: compliance@assuranceeservices.com

Important Notes:

  • HIPAA compliance requires customer to execute BAA and configure appropriate access controls and audit logging
  • PHI Storage: Any PHI is stored in customer’s OneLake (customer-controlled), NOT in AES databases
  • AES Data: The 7 operational identifiers stored by AES do not contain PHI
  • Customer Responsibility: Customers manage PHI protection in their OneLake environment

PCI DSS

Status: ✅ Not Applicable (No payment card processing)

The AES ETL Control Panel does not process, store, or transmit payment card information. All payment processing is handled through third-party PCI DSS Level 1 certified processors.

Azure Platform: Inherits PCI DSS Level 1 Service Provider certification from Azure infrastructure.

Framework Alignment

NIST Cybersecurity Framework

Status: ✅ Aligned

Our security program aligns with the NIST Cybersecurity Framework:

Identify:

  • Asset management and inventory
  • Business environment understanding
  • Governance structure
  • Risk assessment methodology

Protect:

  • Access control and identity management
  • Awareness and training programs
  • Data security and encryption
  • Protective technology implementation

Detect:

  • Anomaly and event detection
  • Security continuous monitoring
  • Detection process effectiveness

Respond:

  • Response planning and procedures
  • Communications and reporting
  • Analysis and mitigation
  • Incident management

Recover:

  • Recovery planning and procedures
  • Improvements and lessons learned
  • Communications and coordination

Microsoft Security Development Lifecycle (SDL)

Status: ✅ Implemented

Our development process follows Microsoft SDL best practices:

  • Security requirements in design phase
  • Threat modeling for all features
  • Secure coding standards and training
  • Security testing (SAST, DAST, penetration testing)
  • Security code reviews
  • Vulnerability management and patching
  • Incident response planning

Policy Documents

Core Policies

Privacy Policy

Last Updated: April 28, 2026
URL: Privacy Policy

Comprehensive privacy policy covering:

  • Information collection and usage
  • Data storage and security
  • Customer data rights (GDPR, CCPA)
  • International data transfers
  • Cookie policy and third-party services
  • Regional privacy rights

Key Commitments:

  • No sale of personal information
  • No third-party analytics or tracking
  • Minimal data collection: Only 7 operational identifiers
  • All customer data in customer’s OneLake storage (customer-controlled)
  • Transparent data practices and customer control

Terms of Service

Last Updated: April 28, 2026
URL: Terms of Service

Legal agreement governing service usage:

  • License grant and restrictions
  • User obligations and acceptable use
  • Data ownership and protection
  • Service availability and warranties
  • Limitation of liability
  • Dispute resolution procedures

Service Level Agreement (SLA)

Last Updated: April 28, 2026
URL: Service Level Agreement

Service availability and support commitments:

  • 99.9% uptime guarantee
  • Service credit structure
  • Support response times (by tier)
  • Performance targets
  • Escalation procedures

Security Documentation

Last Updated: April 28, 2026
URL: Security Documentation

Comprehensive security information:

  • Security architecture and controls
  • Authentication and authorization
  • Data encryption and protection
  • Application security measures
  • Vulnerability management
  • Incident response procedures
  • Responsible disclosure policy

Business Continuity and Disaster Recovery (BCDR)

Last Updated: April 28, 2026
URL: BCDR Policy

Business continuity and disaster recovery planning:

  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 15 minutes
  • Disaster recovery procedures
  • Backup and data protection
  • Incident response and escalation
  • Testing and validation schedule

Compliance Attestation

Fabric Workload Compliance Attestation

Last Updated: April 27, 2026
URL: Compliance Attestation

Official attestation for Microsoft Fabric publishing:

  • Business requirements compliance
  • Technical requirements adherence
  • Design and UX compliance
  • Security and compliance standards
  • Support commitments
  • Fabric features support

Data Protection

Data Residency

Customer Data Storage:

  • Location: Customer’s selected Microsoft Fabric capacity region
  • Control: Complete customer control through OneLake
  • Data Includes: Pipeline configurations, business data, execution logs (if enabled)
  • Transfer: No cross-region data transfer
  • Sovereignty: Compliance with regional data sovereignty laws

AES Operational Data Storage:

  • Location: Regional AES secure databases (aligned with customer region when possible)
  • Data: Only 7 operational identifiers (tenantId, workspaceId, graphqlitemId, JobCount, JobStepCount, LastJobAuditID, LastJobStepAuditID)
  • Encryption: AES-256 encryption
  • Purpose: Basic service operation tracking
  • No Personal Data: Contains no personal information

Supported Regions:

  • North America (United States, Canada)
  • Europe (EU regions, United Kingdom, Switzerland, Norway)
  • Asia Pacific (Australia, Japan, India, Singapore, South Korea)
  • Middle East (UAE)
  • South America (Brazil)

Data Processing:

  • All pipeline execution within customer’s Fabric Spark compute
  • No data processing outside customer’s capacity region
  • Pipeline configurations and business data remain in customer’s OneLake
  • AES stores only 7 operational identifiers in AES secure databases (region-specific)

Data Security

Encryption:

  • Customer Data (OneLake): AES-256 encryption (Microsoft-managed)
  • AES Operational Data: AES-256 encryption for 7 identifiers stored in AES databases
  • In Transit: TLS 1.2+ (TLS 1.3 preferred) for all communications
  • Key Management: Microsoft-managed keys for OneLake, AES-managed keys for operational databases

Access Controls:

  • Microsoft Entra ID authentication exclusively
  • Role-Based Access Control (RBAC) through Fabric
  • Multi-Factor Authentication (MFA) support
  • Conditional Access policy compliance

Data Protection Measures:

  • Input validation and sanitization
  • Content Security Policy (CSP) enforcement
  • Protection against OWASP Top 10 vulnerabilities
  • Regular security assessments and penetration testing

Data Privacy

Privacy Principles:

  • Data Minimization: Collect only essential information (7 operational identifiers)
  • Purpose Limitation: Use data only for stated purposes (service operation)
  • Transparency: Clear communication about data practices
  • Customer Control: Customers own and control their data in OneLake
  • No Third-Party Sharing: Zero data sharing with third parties
  • Separation of Data: Clear distinction between customer OneLake data and AES operational identifiers

Minimal Data Collection by AES:

AES collects and stores ONLY 7 operational identifiers in AES secure databases:

Data PointPurposeStorageRetention
tenantIdIdentify your Fabric tenantAES Database (AES-256)Active + 90 days
workspaceIdIdentify workspaceAES Database (AES-256)Active + 90 days
graphqlitemIdIdentify pipeline itemAES Database (AES-256)Active + 90 days
JobCountTrack job countAES Database (AES-256)Active + 90 days
JobStepCountTrack job step countAES Database (AES-256)Active + 90 days
LastJobAuditIDTrack last audit IDAES Database (AES-256)Active + 90 days
LastJobStepAuditIDTrack last step audit IDAES Database (AES-256)Active + 90 days

Customer-Controlled Data (Your OneLake):

  • ✅ Pipeline configurations and job definitions
  • ✅ Business data processed by pipelines
  • ✅ Execution logs (if enabled by customer)
  • ✅ User preferences and settings
  • ✅ Performance metrics and telemetry (if enabled)
  • ✅ Complete control over retention and deletion

What AES Does NOT Collect or Store:

  • ❌ User identities from Microsoft Entra ID (name, email, user ID)
  • ❌ Personal information of any kind
  • ❌ Browsing history or activity outside the workload
  • ❌ Financial or payment information
  • ❌ Location data or device identifiers
  • ❌ Biometric data
  • ❌ Execution logs or error messages
  • ❌ Performance metrics or detailed telemetry
  • ❌ Pipeline configurations or business logic
  • ❌ Authentication credentials or tokens
  • ❌ Support ticket content (stored separately with explicit consent)

Audit Reports and Documentation

Available Audit Reports

SOC 2 Type II Report:

ISO 27001 Certificate:

Penetration Testing Reports:

  • Annual penetration test executive summary
  • Available to enterprise customers under NDA
  • Request through: security@assuranceeservices.com
  • Technical details available for validated security researchers

Security Assessment Schedule

Regular Assessments:

  • Quarterly internal security assessments
  • Annual external penetration testing
  • Annual SOC 2 Type II audit
  • Annual ISO 27001 surveillance audit
  • Continuous vulnerability scanning
  • Weekly dependency security scanning

Next Scheduled Assessments:

  • Q3 2026: Internal security assessment (July 2026)
  • Q4 2026: External penetration test (October 2026)
  • Q1 2027: SOC 2 Type II audit (January 2027)
  • Q1 2027: ISO 27001 surveillance (March 2027)

Regional Compliance

European Union / EEA

GDPR Compliance:

  • Full compliance with EU General Data Protection Regulation
  • Data Protection Officer (DPO) designated
  • Privacy by design and default
  • Data Protection Impact Assessments (DPIA) completed
  • Cross-border data transfer mechanisms (SCCs if needed)

EU Representative: [EU Representative Name] (if applicable)
DPO Contact: dpo@assuranceeservices.com

Supervisory Authority: Customers may contact their national data protection authority

United States

Federal Compliance:

  • HIPAA/HITECH capability (with BAA)
  • FedRAMP aligned (through Azure infrastructure)
  • NIST Cybersecurity Framework alignment

State Compliance:

  • CCPA (California)
  • CPRA (California Privacy Rights Act)
  • Other state privacy laws as applicable

Asia Pacific

Regional Considerations:

  • Australia Privacy Act compliance
  • Personal Information Protection Act (PIPA) – South Korea
  • Personal Data Protection Act (PDPA) – Singapore
  • Data localization compliance where required

United Kingdom

UK GDPR:

  • Compliance with UK GDPR post-Brexit
  • Data Protection Act 2018 compliance
  • ICO (Information Commissioner’s Office) guidance adherence

UK Representative: [UK Representative Name]

Customer Resources

Compliance Support

For Compliance Questions:

Response Time: Within 2 business days for compliance inquiries

Documentation for Customers

Available Documentation:

  • Customer Data Processing Agreement (DPA)
  • Subprocessor List (Azure/Microsoft)
  • Business Associate Agreement (BAA) for HIPAA
  • Standard Contractual Clauses (SCCs) for EU transfers
  • Security questionnaire responses
  • Compliance questionnaire responses

Request Documentation: compliance@assuranceeservices.com

Compliance Resources

Self-Service Resources:

Industry-Specific Guides:

  • Healthcare Compliance Guide (HIPAA)
  • Financial Services Compliance Guide
  • Public Sector Compliance Guide
  • International Compliance Guide

Contact compliance@assuranceeservices.com to request specific guides

Vendor Due Diligence

Security Questionnaires

We understand that customers need to perform vendor due diligence. We maintain responses to common security questionnaires:

Available Questionnaires:

  • Standard Information Gathering (SIG)
  • Consensus Assessments Initiative Questionnaire (CAIQ)
  • Vendor Security Alliance (VSA)
  • Custom security questionnaires

Request Process:

  1. Email: compliance@assuranceeservices.com
  2. Specify questionnaire type or attach template
  3. Typical turnaround: 5-10 business days
  4. Follow-up questions welcome

Third-Party Risk Assessment

Subprocessors and Third Parties:

Primary Subprocessor:

  • Microsoft Azure: Cloud infrastructure and Fabric platform

No Other Subprocessors:

  • No customer pipeline data or business information shared with third parties
  • AES stores only 7 operational identifiers in AES secure databases (not shared with third parties)
  • No third-party analytics or tracking services
  • No external data processing of customer OneLake data

Subprocessor Notification:

  • 30-day advance notice for new subprocessors
  • Opt-out option for material changes
  • Published subprocessor list maintained

Security Incident Response

Incident Response Commitment

Security Incident Response:

  • 24/7 security monitoring and alerting
  • Dedicated incident response team
  • Security Operations Center (SOC) coverage
  • Executive escalation procedures

Breach Notification:

  • Customer notification within 72 hours of discovery
  • Detailed incident report within 5 business days
  • Assistance with regulatory notification (GDPR, HIPAA, etc.)
  • Root cause analysis and remediation plan

Scope of AES Data Breach:

  • AES stores only 7 operational identifiers (no personal data)
  • Customer pipeline data and business information remain in customer’s OneLake (not accessible by AES)
  • In event of AES infrastructure breach, customer OneLake data remains protected and unaffected
  • Breach notifications will clearly indicate whether AES operational data or customer OneLake data is involved

Report Security Incidents:

Vulnerability Disclosure

Responsible Disclosure Program:
We welcome security researchers to report vulnerabilities responsibly.

How to Report:

Our Commitment:

  • No legal action against good-faith security research
  • Credit in security advisories (if desired)
  • Collaboration on remediation
  • Transparent disclosure timeline

Full Policy: Security Documentation – Responsible Disclosure

Continuous Improvement

Compliance Program Management

Governance:

  • Chief Information Security Officer (CISO) oversight
  • Quarterly compliance committee meetings
  • Executive leadership accountability
  • Board of Directors reporting

Regular Reviews:

  • Quarterly policy and procedure reviews
  • Annual risk assessments
  • Continuous control monitoring
  • Customer feedback integration

Training and Awareness:

  • Annual security awareness training (all employees)
  • Quarterly security champion meetings
  • Monthly security newsletters
  • Simulated phishing exercises

Roadmap

Planned Enhancements:

  • ISO 27017 (Cloud Security) certification – Q4 2026
  • ISO 27018 (Cloud Privacy) certification – Q4 2026
  • Additional regional compliance certifications (as needed)
  • Enhanced privacy controls and customer data governance tools

Customer-Requested Features:

  • Private Link support (planned 2027)
  • Additional data residency options
  • Enhanced audit logging and SIEM integration
  • Custom retention policies

Contact Information

Compliance Team

General Compliance Inquiries:

Privacy Inquiries:

Data Protection Officer:

Security Inquiries:

Legal and Contracts:

Company Information

Assurance eServices Inc.
804 Morningside Trl.
Murphy, TX 75094.
United States

Corporate Website: https://assuranceeservices.com
Support Portal: https://assuranceeservices.com/support
Status Page: https://status.assuranceeservices.com

Additional Resources

Policy Documents:

Technical Documentation:

Support Resources:

Document Information

Document Owner: Chief Compliance Officer
Document Classification: Public
Version: 1.1
Publication Date: April 28, 2026
Last Updated: April 28, 2026
Next Review: July 28, 2026

Changelog:

  • v1.1 (April 28, 2026): Updated data collection sections to align with Privacy Policy (minimal data collection)
  • v1.0 (April 28, 2026): Initial publication

Trust Through Transparency

At Assurance eServices, we believe that trust is built through transparency and demonstrated commitment to security, privacy, and compliance. This Compliance Portal is regularly updated to reflect our current certifications, policies, and practices.

For questions or additional information, please contact: compliance@assuranceeservices.com

© 2026 Assurance eServices Inc. All rights reserved.

Proudly powered by WordPress