Elevate Telemetry & Privacy Notice
What Elevate transmits, why, and how personal data is handled — with a transparent view of where we are on our compliance roadmap.
Last updated: 1 July 2026
1. Scope of this notice
This notice describes the operational telemetry that the Moonbase Elevate module ("Elevate") sends to Moonbase BV ("Moonbase", "we", "us") and how personal data is handled in the Moonbase self-service licensing portal ("Portal"). It applies to every customer ("Customer", "you") that installs or uses Elevate, regardless of subscription tier.
Commercial licence terms are separate. The right to use Elevate, pricing, seat counts, term, and support obligations are governed by your order form, subscription agreement, or — for the Free tier — the click-through licence presented in the Portal. This notice does not grant or modify any licence.
This notice supplements the general Terms of Service and Privacy Policy. In case of conflict regarding Elevate telemetry or Portal personal data, this notice prevails.
2. Operational telemetry
To operate the licence model, enforce seat caps, plan capacity, and improve the service, Elevate sends a periodic, low-volume operational telemetry signal from each Microsoft Dynamics 365 environment ("Environment") in which it is installed to the Portal. By installing or using Elevate, the Customer accepts this telemetry signal as a condition of operation.
2.1 Data points collected
The telemetry signal contains only the following data points:
| Field | Description |
|---|---|
tenant_id | Microsoft Entra tenant identifier (GUID) of the Customer. |
environment |
Dynamics 365 Environment identifier (organisation ID/URL) and Environment kind
(e.g. production, sandbox, trial).
|
elevate_unique_role_count | Count of distinct Microsoft Dynamics 365 users assigned an Elevate-managed security role in the Environment at the time of measurement. This is a count only — no user identifiers, names, or email addresses are transmitted. |
Each transmission also carries a timestamp and the Elevate version, for diagnostic purposes. No business records, no Dynamics 365 entity data, and no end-user content are transmitted as part of this telemetry signal. This is the principle of data minimisation in practice — we collect only what is strictly necessary to operate the service.
2.2 Purpose of the telemetry
The telemetry data is used solely to:
- verify that licensed seat counts match the number of Elevate-role users in the Environment (seat-cap enforcement, drift detection, true-up calculation);
- provide the Customer's administrators with usage visibility in the Portal;
- operate, secure, and support the Elevate service (incident response, capacity planning, version-coverage monitoring); and
- compute aggregate, non-identifying service metrics.
Telemetry data is not used for advertising, profiling of end users, resale, or any analytics not described above. Use is bound by purpose limitation: data collected under this notice will not be repurposed without an updated lawful basis and notice.
2.3 Lawful basis (GDPR)
To the extent that tenant_id or environment identifiers can, in
combination, be linked to an identifiable legal entity, processing is based on
performance of a contract (Art. 6(1)(b) GDPR) — the licence and seat
entitlement cannot be administered without it — and on Moonbase's legitimate
interest (Art. 6(1)(f) GDPR) in operating the service securely and detecting abuse.
A balancing test ("LIA") is documented and available to Customers under NDA. The
elevate_unique_role_count is an aggregate count and does not by itself identify
any natural person.
2.4 Retention
Telemetry events are retained for up to 24 months in identifiable form to support audit, true-up, and dispute resolution, after which they are aggregated or deleted. Aggregated, non-identifying counters may be retained indefinitely.
3. Personal data — operational and transactional purposes only
For the Portal, Moonbase processes personal data of Customer administrators and billing contacts (name, business email, business phone, Microsoft Entra user identifier, role assignments inside the Portal, and an audit log of actions performed in the Portal) solely for operational and transactional purposes, including:
- creating and administering the Customer's Portal account and Elevate subscription;
- authenticating administrators and authorising actions in the Portal;
- processing orders, payments, invoices, credit notes, and refunds;
- sending service and transactional communications (provisioning notices, invoices, security alerts, expiry reminders, changes to this notice);
- providing customer support; and
- complying with legal obligations (e.g. accounting, tax, anti-fraud).
Moonbase does not use this personal data for marketing of new products, for profiling, or for any non-transactional purpose without separate, explicit consent. Marketing-list opt-ins, where offered, are tracked separately from operational records.
For Portal personal data, Moonbase acts as controller. Where the Customer's own Dynamics 365 record content is processed by Moonbase in connection with troubleshooting Elevate, Moonbase acts as processor on behalf of the Customer under a Data Processing Agreement (DPA, executed on request, GDPR Art. 28-compliant). No Dynamics 365 record content is transmitted as part of the operational telemetry signal in Section 2.
4. Data location and international transfers
Telemetry and Portal data are hosted in the European Union. Moonbase does not routinely transfer Customer personal data outside the European Economic Area ("EEA"). Where a sub-processor processes data outside the EEA, transfers are executed under the European Commission's Standard Contractual Clauses (2021/914) together with documented supplementary measures (encryption, pseudonymisation, access controls) consistent with the EDPB recommendations on supplementary measures.
5. Sub-processors
The current list of sub-processors (hosting, payment, email delivery, observability) is maintained in our Privacy Policy. Moonbase performs documented due-diligence on each sub-processor (security, privacy, business continuity) and binds them by written contract to obligations no less protective than those Moonbase commits to here. Customers will be notified of any material change to the sub-processor list with a reasonable opportunity to object.
6. Security and compliance
Compliance status — transparent disclosure
Moonbase does not currently hold ISO/IEC 27001 certification, a SOC 2 Type I or Type II report, or a formal NIS2 Art. 21 attestation. We are actively working toward these frameworks and design our controls and processes with their requirements in mind. The sections below describe the direction of travel and the controls we are building, not a current certification. GDPR is a legal obligation that applies regardless of certification, and the substantive GDPR commitments in this notice (lawful basis, data-subject rights, breach notification, purpose limitation) bind us today.
Customers requiring a current trust pack with the latest evidence on what is implemented today versus on the roadmap should contact hello@moonbase.be.
6.1 Security baseline (current and target)
The technical and organisational controls we operate or are putting in place include:
- Encryption in transit — TLS 1.2 or higher for all telemetry, Portal, and API traffic.
- Encryption at rest — managed-key encryption (AES-256) for the Portal database and storage buckets.
- Authentication & access — Microsoft Entra single sign-on for Portal administrators; multi-factor authentication for Moonbase staff with production access; role-based access control with least privilege.
- Audit logging — Portal administrative actions and production-system access by Moonbase staff are logged. Retention is being formalised toward a minimum 12-month window.
- Vulnerability management — dependency monitoring on every build; security patches applied within a 30-day window for non-critical issues and an accelerated window for critical issues.
- Change management — production changes go through code review, automated testing, and a tracked release process.
- Backups and recovery — automated, encrypted backups of Portal data; restore procedures are being documented and tested on a recurring cadence.
- Personnel — security and privacy awareness training is being formalised, with role-based training for engineers and operators.
Items framed as "being formalised" or "being documented" are on our active roadmap; the underlying technical control is in place but the formal policy or evidence trail is still maturing.
6.2 GDPR (Regulation (EU) 2016/679)
GDPR is a legal obligation, not an aspirational framework. Moonbase processes personal data in line with the GDPR principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. Our substantive GDPR commitments — lawful basis (Section 2.3), purpose limitation (Section 2.2), data-subject rights (Section 8), and breach notification (Section 6.6) — bind us today.
The formal artifacts supporting these commitments are being progressively built out:
- a Record of Processing Activities (RoPA, Art. 30) is being formalised;
- a Data Processing Agreement (DPA, Art. 28) template is available on request and is being standardised;
- data-subject rights procedures (access, rectification, erasure, restriction, portability, objection — Arts. 15-22) are documented and operated;
- a Data Protection Impact Assessment (DPIA) framework for high-risk processing is being put in place;
- privacy contact: privacy@moonbase.be.
6.3 ISO/IEC 27001 — working toward
Moonbase is working toward an Information Security Management System ("ISMS") aligned with ISO/IEC 27001:2022 and is not currently certified. Our roadmap targets the Annex A control domains relevant to Elevate and the Portal — organisational controls, people controls, physical controls, and technological controls — including access management, cryptography, secure development, supplier relationships, threat intelligence, logging, incident management, business continuity, and compliance. We intend to perform formal risk assessment and treatment at least annually once the ISMS scope is locked. A Statement of Applicability will be made available to Customers under NDA when published.
6.4 SOC 2 — working toward
Moonbase is designing controls in alignment with the AICPA Trust Services Criteria — Security, Availability, Confidentiality, and Privacy. Moonbase has not yet completed a SOC 2 Type I or Type II examination, and no SOC 2 report is currently available. Customers in regulated sectors that require a SOC 2 report should contact hello@moonbase.be for the current roadmap and interim assurance options.
6.5 NIS2 (Directive (EU) 2022/2555) — working toward
Moonbase is designing its security programme toward the cybersecurity risk-management measures listed in Art. 21 NIS2. We have not yet completed a formal NIS2 Art. 21 measures programme, nor a formal assessment of whether Moonbase or specific Customer scenarios fall in scope as essential or important entities. The Art. 21 measure areas we are working toward include:
- policies on risk analysis and information system security;
- incident handling — detection, response, and recovery;
- business continuity, backup management, and crisis management;
- supply-chain security, including direct supplier and service-provider security;
- security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure;
- policies and procedures to assess the effectiveness of the cybersecurity measures;
- basic cyber-hygiene practices and cybersecurity training;
- policies on the use of cryptography and, where appropriate, encryption;
- human resources security, access-control policies, and asset management;
- multi-factor authentication, secured voice/video/text communications, and secured emergency communications.
Where Moonbase is, in future, confirmed as a regulated entity under NIS2, it will comply with applicable incident-reporting obligations to the relevant Belgian competent authority (CCB).
6.6 Personal data breach notification
Breach notification under GDPR is a legal duty and applies regardless of certification status. In the event of a personal data breach, Moonbase will notify:
- Customers, where Moonbase acts as processor — without undue delay after becoming aware of the breach, providing the information required by Art. 33(3) GDPR to enable the Customer's own notification within the 72-hour deadline;
- Supervisory authority, where Moonbase acts as controller — within 72 hours of awareness, in accordance with Art. 33 GDPR;
- Data subjects — without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Art. 34 GDPR.
Where Moonbase is in scope of NIS2 in future, NIS2 incident-reporting timelines (early warning within 24 hours, incident notification within 72 hours, final report within one month) will be met in parallel.
6.7 Audit and assurance
Customers operating under a written DPA or enterprise subscription agreement may request Moonbase's current trust pack — which discloses, transparently, what is implemented today versus what is on the roadmap (security overview, ISMS scope-in-progress, sub-processor list, DPIA template, penetration-test summary as available). Where a Customer's regulator requires an audit beyond the trust pack, the audit modalities (cost, scope, frequency) are agreed in the DPA.
7. Customer responsibilities
The Customer agrees to:
- keep the contact details of its Portal administrators current;
- inform its end users that, where required by local law, an aggregate count of users assigned an Elevate role in the Customer's Environment is transmitted to Moonbase for licensing purposes (no personal data of those end users is sent);
- configure its own Microsoft Entra and Dynamics 365 environment in accordance with vendor security guidance;
- not block, alter, or tamper with the telemetry signal; and
- cooperate with reasonable security and incident-response requests where a security event affects shared systems.
8. Rights of data subjects (GDPR)
Data subjects have the rights of access, rectification, erasure, restriction, portability, and objection set out in Arts. 15-22 GDPR, and the right to lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données). Requests should be sent to privacy@moonbase.be; we respond within one month of receipt, extendable by two months for complex requests.
9. Changes to this notice
We may update this notice from time to time. Material changes — including any change to the telemetry data points listed in Section 2.1 or to the purposes in Section 2.2 — will be communicated to registered Portal administrators by email, with a reasonable notice period before taking effect.
10. Governing law
This notice is governed by Belgian law, and any disputes regarding it are subject to the exclusive jurisdiction of the courts of Antwerp, Belgium, without prejudice to the rights of data subjects to lodge complaints with their local supervisory authority.
11. Contact
General: hello@moonbase.be
Privacy: privacy@moonbase.be
Security incidents: security@moonbase.be