Privacy & Security

Last updated: April 2, 2026

Trovve is built for service firms that manage sensitive client data every day. We take that responsibility seriously. This page explains how we handle your data, where it lives, and how we keep it secure.

Where your data lives

Your files stay in your Microsoft 365 environment. Trovve does not copy, move, or store your SharePoint or OneDrive files on separate servers. When you browse files in Trovve, you are looking directly at your SharePoint and OneDrive — Trovve is the interface, not the storage.

Task, project, and client data that you create inside Trovve is stored securely on Microsoft Azure, the same cloud infrastructure used by Microsoft's own products. Your data is hosted in Azure data centers that meet the highest industry compliance standards.

  • Your files remain in your SharePoint and OneDrive at all times
  • Trovve does not duplicate or cache your documents
  • Task, project, and client data is stored on Microsoft Azure
  • Trovve's entire application infrastructure runs on Microsoft Azure
  • We do not sell, rent, share, or monetize your data — ever
  • We do not use your data to train AI models

Built on Microsoft Azure

Trovve is built entirely on the Microsoft Azure platform. This means your data benefits from the same infrastructure, security controls, and compliance certifications that protect Microsoft's own cloud services.

Azure provides:

  • Global infrastructure — data centers in regions worldwide with built-in redundancy
  • Physical security — 24/7 monitored facilities with biometric access controls
  • Network security — DDoS protection, firewalls, and threat detection built into the platform
  • Compliance certifications — Azure holds SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27018, HIPAA, FedRAMP, and GDPR certifications among others
  • Automatic patching and updates — security patches are applied to the underlying infrastructure without downtime

By building on Azure, Trovve inherits Microsoft's multi-billion dollar investment in cloud security without the overhead of managing our own data centers.

Authentication and access

Trovve uses Microsoft Entra ID (formerly Azure Active Directory) for all authentication. You sign in with your existing Microsoft 365 account. Trovve never sees, stores, or has access to your password.

  • Single sign-on — use your Microsoft 365 credentials, no separate username or password
  • OAuth 2.0 — industry-standard authorization protocol for all Microsoft Graph API access
  • Scoped permissions — Trovve only requests access to what it needs, nothing more
  • Admin control — your IT admin can review, restrict, or revoke Trovve's permissions at any time from the Microsoft Entra admin center
  • Session security — authentication tokens expire and must be refreshed, preventing unauthorized long-term access

Trovve supports all Microsoft Entra ID security features your organization has enabled, including multi-factor authentication (MFA) and conditional access policies.

What permissions Trovve requests

When you sign in, Trovve requests access to specific Microsoft 365 services through the Microsoft Graph API. Each permission is scoped to the minimum needed for that feature to work.

Permissions and why:

  • Outlook Calendar (read) — to show your upcoming meetings in My Day
  • SharePoint and OneDrive (read/write) — to browse, link, and manage project files and folders
  • Microsoft Teams (read) — to embed Trovve as a Teams app
  • User profiles (read) — to display team member names, photos, and email addresses
  • Mail (read, when email processing is enabled) — to classify incoming emails and create tasks from them

What Trovve does NOT access:

  • Your personal OneDrive files outside of shared project folders
  • Your Outlook email content (unless you explicitly enable email processing)
  • Teams chat messages or call history
  • Any Microsoft 365 app or data not listed above

You can review Trovve's permissions at any time in your Microsoft 365 admin center under Enterprise Applications.

Data encryption

All data in Trovve is encrypted both in transit and at rest.

  • In transit — all connections use TLS 1.2 or higher. Data moving between your browser and Trovve, and between Trovve and Microsoft 365, is encrypted end-to-end.
  • At rest — all stored data is encrypted using AES-256 encryption, the same standard used by governments and financial institutions.
  • Database encryption — Azure SQL and Azure Storage provide transparent data encryption (TDE) by default.
  • Key management — encryption keys are managed by Microsoft Azure's key management infrastructure with automatic rotation.

Application security

Trovve follows security best practices throughout the development and operation of the application.

  • Secure development — code is reviewed for security vulnerabilities before deployment
  • HTTPS everywhere — all pages and API endpoints are served over HTTPS with no exceptions
  • Input validation — all user inputs are validated and sanitized to prevent injection attacks
  • Rate limiting — API endpoints are rate-limited to prevent abuse
  • Error handling — error messages never expose sensitive information or system internals
  • Dependency monitoring — third-party libraries are monitored for known vulnerabilities and updated regularly

Third-party services

Trovve uses a limited number of third-party services, each chosen for their security track record and compliance certifications.

  • Microsoft Azure — cloud infrastructure, hosting, database, and storage. All Trovve infrastructure runs on Azure.
  • Microsoft Graph API — integration with your Microsoft 365 environment (files, calendar, users, mail).
  • Stripe — payment processing. Stripe is PCI DSS Level 1 certified. Trovve never sees, stores, or processes your credit card information — all payment data is handled entirely by Stripe.
  • Microsoft Power Automate — workflow automation, used when automation workflows are configured by you or our setup team. Power Automate runs within your Microsoft 365 tenant.

Trovve does not use third-party advertising services, behavioral tracking, or analytics platforms that collect personal data.

Data retention and deletion

  • Active accounts — your data is retained for as long as your Trovve subscription is active.
  • After cancellation — your account switches to read-only mode. Your data is preserved for 90 days so you can reactivate at any time.
  • After 90 days of inactivity — task, project, and client data is permanently deleted from Trovve's systems.
  • Your SharePoint and OneDrive files are not affected — files remain in your Microsoft 365 environment regardless of your Trovve account status. Trovve does not delete, modify, or remove files from your Microsoft 365 storage.
  • Immediate deletion — you can request immediate deletion of all your Trovve data at any time by contacting our support team.

Your rights

You have full control over your data in Trovve.

  • Export — export your projects, tasks, and client data to Excel at any time from within the application.
  • Access — request a complete copy of all data Trovve holds about you and your organization.
  • Deletion — request deletion of your account and all associated data at any time.
  • Revoke access — remove Trovve's permissions from your Microsoft 365 environment at any time through the Microsoft Entra admin center.
  • Portability — your files never leave your Microsoft 365 environment, so there is nothing to "move back." They are already where they belong.

For GDPR, CCPA, or other data protection inquiries, contact us through help@trovve.com.

Questions?

If you have questions about Trovve's privacy practices, security measures, or data handling, we're happy to help.

Contact us through help@trovve.com.

For enterprise security reviews or to request our security documentation, contact us directly and we'll work with your IT team.