Security / Overview (printable)

Use your browser's “Save as PDF” option to export this page as a clean 2-pager for your IT team.

Zentriq — Security Overview

Zentriq Agent for Business Central

AI assistant embedded in Microsoft Dynamics 365 Business Central. SaaS, multi-tenant, GDPR + Swiss nFADP compliant.

1 · Architecture

┌──────────────┐     HTTPS       ┌─────────────────────┐
│  BC user     │ ─────────────▶  │ Zentriq backend     │
│  (browser)   │                 │ (Vercel EU)         │
└──────────────┘                 └─────────┬───────────┘
                                            │
                         ┌──────────────────┼────────────────┐
                         ▼                  ▼                ▼
                 ┌──────────────┐  ┌──────────────┐  ┌──────────────┐
                 │ Anthropic    │  │ BC API       │  │ Neon         │
                 │ Claude (US)  │  │ (your tenant)│  │ Postgres EU  │
                 │ ZERO RETENTION│  │               │  │ (encrypted)  │
                 └──────────────┘  └──────────────┘  └──────────────┘

2 · What Zentriq Accesses

Does access

Your Microsoft account email + tenant ID. The BC data you query, fetched in real-time via the BC API under your own user's permissions. Chat history (stored so you can resume conversations).

Does NOT access

Full BC database export. Credentials or passwords. Data from other tenants. Your data is never used to train AI models (Anthropic zero-retention).

3 · Encryption

In transit (end-to-end)	TLS 1.3 (min TLS 1.2)
Database at rest	AES-256 (Neon managed)
BC refresh tokens at rest	AES-256-GCM application-layer, key rotated quarterly
File attachments	AES-256 (Vercel Blob)

4 · Permissions Requested (Microsoft Entra ID)

openid / profile / email — Microsoft sign-in (Zentriq dashboard)
Dynamics 365 Business Central API — Financials.ReadWrite.All — read / write BC data on your behalf (scoped by your BC permission set)
offline_access — refresh token for long-lived access (revocable anytime in your dashboard)

Your BC permissions are the ultimate gate — Zentriq cannot exceed what your own BC user account is allowed to do. An admin consent at the tenant level is optional; per-user consent works fine.

Zentriq — Security Overview (cont.)

5 · Data Residency

Data	Region	Provider
Database	EU (Frankfurt)	Neon
Application runtime	EU (Frankfurt + Paris)	Vercel
Blob storage	EU	Vercel Blob
Error tracking	EU (Frankfurt)	Sentry
AI inference	US (zero retention)	Anthropic
BC data	(your tenant, never relocated)	Microsoft

6 · Retention

Conversations + captures — until user deletes or closes account
Usage + Sentry error logs — 90 days rolling
BC refresh tokens — until you disconnect, or 90 days of inactivity
Stripe billing records — 7 years (legal obligation)

7 · Operational Controls

Access

Production DB access restricted to 2 staff. MFA everywhere. Every access logged.

Deploys

GitHub → Vercel pipeline. Signed commits. Automated tests before every merge.

Monitoring

Sentry for errors + traces. Uptime probes on /api/health every 60 s.

Incident response

GDPR Art. 33 — 72-hour notification. Post-mortem published once incident is closed.

8 · Subject-Access Rights (GDPR / nFADP)

Export — full JSON export on request (30 days SLA)
Delete — self-service account deletion from the dashboard, cascades all data
Disconnect BC — revoke the BC OAuth token anytime, instant effect
Object / restrict — email privacy@zentriqsoftware.com

9 · Certifications

GDPR + Swiss nFADP — compliant
SOC 2 Type II — in progress, expected Q4 2026
ISO 27001 — 2027 roadmap

10 · Contact

Security: security@zentriqsoftware.com · Privacy: privacy@zentriqsoftware.com · General: support@zentriqsoftware.com

Zentriq Software · Switzerland · www.zentriqsoftware.com · Last updated April 22, 2026