Data Sovereignty & Security

Maptaskr Power Maps is deployed directly inside your Microsoft tenant as a client-side javascript application so you retain complete control of your business data. This FAQ summarizes how our platform upholds data sovereignty and security, expanding on the commitments outlined in the Maptaskr Privacy Statement.

How data residency works

• Your tenant, your region: All customer records, dataverse map layers, and geospatial processing used by Maptaskr Power Maps remains in your Microsoft Dataverse, Dynamics 365, Power Apps, or Power Pages environment located in the geography you selected when provisioning Microsoft 365.
• No data extraction: Maptaskr does not copy, persist, access or export your business data into Maptaskr infrastructure. Our solution operates through Microsoft-first party APIs and inherits their residency guarantees.
• Bring-your-own storage: Whether you host data in Azure Storage, SQL, Cosmos DB, or external layer services such as ArcGIS and Azure Maps, those datasets stay in the regions you configure for each service. Maptaskr simply reads them through user supplied APIs and never proxies, caches, or relocates the underlying resources.

What information Maptaskr can access

• Business data: We cannot view or access customer records within your tenant. When you submit a support ticket, we may request redacted screenshots or sample records that you choose to share.
• Administration data: During onboarding we capture only essential business contact details (organisation, name, email, contact number) to manage licensing and support, consistent with the privacy statement.
• Telemetry (optional): The product emits minimal, anonymous diagnostics to validate licensing and performance. Enhanced telemetry is off by default and can be disabled at any time in the product settings.
• Environment details: During onboarding we record your environment ID, URL, environment type (production or sandbox), and installed Maptaskr build so we can validate licensing and provide lifecycle support.

List of APIs accessed and data sent to Maptaskr:

1. License registration (/api/license/register): Company and contact details (organisation, country, first/last name, email, phone), terms acknowledgements (Ts&Cs, marketing, optional telemetry), the Dataverse environment ID/URL/type, and the installed Maptaskr version. Submitted once during onboarding so we can issue the encrypted license file.

2. Periodic license validation (/api/license/validate): The license container itself (ID, name, public key, maptaskrLicenseId, optional file metadata, and your telemetry preference) so we can confirm the license is still valid - no customer records or usage data are included.

3. License renewal (/api/license/generate): When you request a refreshed license, only the maptaskrLicenseId (or related identifier) is sent so we can regenerate the signed artifact.

4. Mandatory telemetry (/api/telemetry): A MapLoadedEventDetails payload describing how the map control is configured (control type, data service, address/region provider, calculation engine, basemap choice, constraints, filter counts, layer counts, zoom order, custom-code flag). These fields contain configuration metadata only and never include row-level business data. This telemetry is used to identify feature usage, but most importantly map load speed - allowing us to proactively contact you if we see your map not performing as well as we would expect with comparable configuration metrics.

5. Optional telemetry (/api/telemetry with enhanced telemetry enabled): Lightweight TelemetryData entries listing the feature name (eventName), timestamp, and optional duration. This is used solely for performance benchmarking and roadmap validation and is entirely disabled when you opt out.

info

After the initial /api/license/register and first /api/license/validate call, the solution can operate offline until the licensed end date, continuous connectivity to Maptaskr is not required.

6. Maptaskr provider services: If you use the Maptaskr provider for search or basemaps, only the following calls are made:
   • Service authentication (/api/auth): Sends the environmentid and licenseid as a Bearer Token and returns a {token} to be used with the Maptaskr Services.
   • Address search (/api/address/location): Sends the search keyword, the current map center, an optional constraint extent and the {token} so we can return candidate addresses.
   • Location search (/api/address/query): Sends the search keyword and the {token} to look up a specific location.
   • Region search (/api/search): Sends the search keyword, an optional center coordinate and the {token} to retrieve region boundaries.
   • Vector basemaps (https://tiles.maptaskr.com/): Streams style JSON and map tiles. Only requires the {token} to retrieve tiles.

Security controls in place

• Microsoft security baseline: Because Maptaskr runs inside your tenant, it benefits from Microsoft’s compliance certifications (ISO 27001, SOC 1/2, GDPR, Australian IRAP, etc.) and your own conditional access, DLP, and policies.
• Principle of least privilege: Because Maptaskr operates solely inside Canvas Apps, model-driven Power Apps, and Dynamics 365, access to maps and layers is governed through native Dataverse security roles. Administrators assign or remove these roles (or the underlying permission sets) just like any other Power Platform app, ensuring only authorised users can load geospatial data or perform write operations.
• Change management: Updates to the Maptaskr managed solution undergo security review, automated testing, and staged deployment before reaching production tenants.

Compliance and sovereignty assurances

• Regulatory alignment: Our architecture supports compliance with GDPR, Australian Privacy Principles, and other regional data-protection frameworks because customer data never leaves the jurisdiction you selected for Microsoft hosting.

Your responsibilities

• Keep your Microsoft 365 and Power Platform environments deployed in compliant regions, and align backup/retention policies (including Azure Storage, SQL, or ArcGIS/Azure Maps layers) with local sovereignty obligations.
• Assign the appropriate Dataverse security roles (and supporting Entra ID controls like MFA and conditional access) so only authorised users can open Maptaskr maps, layers, or geospatial write operations.
• Ensure that the Layers and Basemaps added to Maptaskr Power Maps have the appropriate security and compliance configurations in place with appropriate authentication profiles.
• Review the optional telemetry toggle inside Maptaskr and disable enhanced diagnostics if regulations require zero metadata sharing.

Need more details?

• Visit the full Maptaskr Privacy Statement for our collection, use, and retention practices.
• Contact support@maptaskr.com for any further clarification and support

By keeping all processing inside your Microsoft tenant and limiting the information Maptaskr handles, we ensure you maintain sovereignty over your data while benefiting from enterprise-grade security controls.