baref00t.io

// terms of service

Terms of Service

Last updated: March 2026

These terms govern your use of the baref00t.io automated security assessment platform, operated by Becloudsmart Pty Ltd (ABN 13 611 079 219). By purchasing or using an assessment, you agree to these terms.

1. Service description

baref00t.io provides automated security assessment reports for Microsoft 365 tenants. Assessments read your tenant configuration via the Microsoft Graph API, evaluate it against a defined security framework (such as the ACSC Essential Eight), and produce a detailed report with findings and remediation guidance.

2. Acceptable use

You may only run assessments against Microsoft 365 tenants that you own or are authorised to manage. By granting consent, you confirm you have the authority to do so. You must not use the service to:

  • Assess tenants you do not own or have explicit authorisation to assess.
  • Attempt to access data beyond what is required for the assessment.
  • Reverse-engineer, resell, or redistribute the assessment logic or reports.

3. Report accuracy

Assessment reports are based on configuration data available via the Microsoft Graph API at the time of the assessment. Reports reflect a point-in-time snapshot and are not a substitute for a formal security audit, penetration test, or IRAP assessment. While we strive for accuracy, we do not guarantee that all security risks will be identified or that all findings will be applicable to your specific environment.

4. Intellectual property

Assessment reports are generated for your internal use. You may share reports within your organisation or with your auditors and advisors. You may not publicly redistribute, resell, or white-label reports without prior written agreement.

5. Payment terms

Assessments are available as one-time purchases or monthly subscriptions. Prices are displayed in the local currency for each product (AUD, USD, EUR, GBP, or SGD) and are inclusive of applicable taxes. Payment is processed by Stripe at the time of purchase.

Assessment reports are non-refundable once generated. If an assessment fails to run due to a technical issue on our end, we will either re-run the assessment or issue a full refund at your choice.

6. Data handling

Your data is handled in accordance with our Privacy Policy. In summary: we do not store your tenant configuration data, reports are hosted in the Azure region where your assessment runs, and we do not sell or share your data.

7. Data processing agreement

When you purchase an assessment, Becloudsmart Pty Ltd acts as a data processor on your behalf (you are the data controller). This section constitutes the Data Processing Agreement between you and us, as required by applicable data protection laws including the EU General Data Protection Regulation (GDPR), UK GDPR, and Singapore Personal Data Protection Act (PDPA).

Scope of processing: We process personal data from your Microsoft 365 tenant solely to perform the security assessment you purchased. Processing consists of reading tenant configuration data (user accounts, policies, security settings) via the Microsoft Graph API, evaluating it against the selected framework, and generating an assessment report. Raw tenant data is processed in memory only and is not persisted. Only the derived assessment report is stored.

Data processed:

  • Tenant configuration metadata (conditional access policies, authentication methods, device compliance policies, directory roles)
  • User account attributes (display names, sign-in activity, license assignments, MFA registration status)
  • Security posture data (secure scores, alerts, risky users, audit logs)
  • Your contact email address (for report delivery)

Processing location:Assessments currently run in Microsoft Azure Australia East. The Microsoft Graph API is a global service — data is returned from Microsoft's nearest edge, not routed through our region. Generated reports are stored in Azure Australia East. We will notify you if processing locations change.

Sub-processors:

  • Microsoft Azure — cloud infrastructure (compute, storage, key vault)
  • Microsoft Graph API — tenant data access (authorised by your admin consent)
  • Twilio SendGrid — transactional email delivery (report links, consent emails)
  • Stripe— payment processing (Stripe's own DPA applies to payment data)

Data retention: Assessment reports are retained for 30 days after generation, after which they are automatically deleted. Key Vault metadata (tenant ID, assessment ID) is retained for 90 days for support purposes. We do not retain raw Graph API data beyond the duration of the assessment run (typically under 10 minutes).

Security measures: All data is encrypted in transit (TLS 1.2+) and at rest (Azure Storage Service Encryption, AES-256). Access to customer data is restricted to automated service principals — no human has standing access to assessment data. OAuth tokens are stored in Azure Key Vault with access policies limited to the managed identity running the assessment.

Your rights: You may request deletion of your assessment data at any time by emailing assessments@baref00t.io. You may revoke our access to your tenant immediately by removing the application from Entra ID → Enterprise Applications. We will respond to data subject access requests within 30 days.

International transfers: If you are located in the EU/EEA, UK, or Singapore, your data is transferred to Australia for processing. This transfer is governed by the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission (Module 2: Controller to Processor), which are incorporated into this agreement by reference. For UK customers, the International Data Transfer Addendum (IDTA) to the EU SCCs applies. For Singapore customers, this DPA satisfies the transfer requirements under PDPA Section 26.

Breach notification: In the event of a personal data breach affecting your data, we will notify you without undue delay and in any case within 72 hours of becoming aware of the breach, providing details of the nature of the breach, the data affected, and the measures taken to address it.

8. Limitation of liability

To the maximum extent permitted by Australian law, Becloudsmart Pty Ltd is not liable for any indirect, incidental, or consequential damages arising from your use of the service. Our total liability for any claim related to the service is limited to the amount you paid for the specific assessment in question.

Nothing in these terms excludes or limits any rights you may have under the Australian Consumer Law that cannot be excluded or limited by contract.

9. Termination and access revocation

You can revoke the application's access to your tenant at any time by removing it from Entra ID (Enterprise Applications). Access is revoked immediately with no notice period or support ticket required. We may suspend or terminate your access if we reasonably believe you are using the service in breach of these terms.

10. Changes to these terms

We may update these terms from time to time. Material changes will be communicated via email to active subscribers. Continued use of the service after changes constitutes acceptance of the updated terms.

11. Governing law

These terms are governed by the laws of the State of Victoria, Australia. Any disputes arising under these terms are subject to the exclusive jurisdiction of the courts of Victoria.

12. Contact

Email: assessments@baref00t.io
Entity: Becloudsmart Pty Ltd
ABN: 13 611 079 219