Scott Campbell Consulting Microsoft 365 systems for small businesses Book an Audit

Data handling and security

Practical systems require careful data handling.

Many workflow and reporting projects involve internal business data, staff assignments, customer information, financial summaries, or operational records. I use a practical, least-access approach to client work.

Principles

Nine working principles.

  1. 01

    Least-privilege access

    Access is requested only for the scope required by the work, and removed when the work is complete.

  2. 02

    Client-owned Microsoft environment

    Work happens inside the client's Microsoft 365 tenant whenever possible. The client owns the data and the system.

  3. 03

    No unnecessary local storage of client data

    Client data stays in the client environment. Files are not copied locally without a specific reason and the client's knowledge.

  4. 04

    Separate workspaces for each client

    Each engagement has its own isolated workspace. No shared notes, shared sandboxes, or cross-client data.

  5. 05

    MFA-enabled accounts

    All accounts used for client work have multi-factor authentication enabled.

  6. 06

    Documented workflows

    Every system I build comes with documentation so the client is not dependent on me to understand or operate it.

  7. 07

    No sale or reuse of client data

    Client data is never sold, shared, or repurposed. Period.

  8. 08

    No public use of client screenshots without written permission

    Real client work is not used in marketing materials, demos, or case studies without explicit written consent.

  9. 09

    Clear offboarding and access removal

    When an engagement ends, access is removed promptly and documented in writing.

What this does not claim

Not a compliance certification.

This page is not a claim of regulatory compliance for every industry.

If your organization has specific legal, regulatory, or contractual requirements, those should be reviewed with appropriate legal, compliance, or IT and security professionals. I am happy to work within compliance frameworks your organization already has in place, but Scott Campbell Consulting does not provide compliance certification.

Have questions about how a project would handle your data?

The Reporting Systems Audit is also where data-handling questions get answered. We can map exactly what stays where, who has access, and how the system is structured.

Book a Reporting Systems Audit