Reference

FAQ

Frequently asked questions about VaultGuard360 — trial, pricing, security, data residency, and support.

Trial Questions

What's included in the 14-day trial?

The trial includes the full Professional tier feature set — every feature available in the paid Professional plan is active during the trial:

  • Monitor up to 15 Azure subscriptions
  • Track up to 200 secrets, certificates, and keys
  • Email notifications via Azure Communication Services or SMTP relay
  • Webhook integrations (Generic, Slack, PagerDuty, ServiceNow)
  • Custom alert thresholds
  • Team routing (route alerts by subscription to different teams)
  • Custom email sender domain
  • Full dashboard access including Log Explorer

There are no restricted features during the trial.

What happens when the trial expires?

After 14 days, the service enters a hard lock state:

  • All API calls return HTTP 402 Payment Required
  • The dashboard becomes inaccessible
  • Scheduled scans stop running
  • No notifications are sent

The hard lock is immediate and automatic. There is no grace period.

The /api/license and /api/health endpoints remain accessible so you can confirm the lock state. The /api/export endpoint also remains accessible so you can back up your configuration before upgrading.

Can I extend the trial?

No. Trial extensions are not offered. If you need more evaluation time, you can deploy a new trial instance — the 14-day clock starts when the managed application is first deployed.

Can I keep my trial data when I upgrade?

Scan history and audit logs are not transferable between deployments. However, your configuration (routing rules, thresholds, email settings) can be transferred using the built-in export/import tool:

  1. Export your configuration via Settings → Export Configuration (works even after trial expiry)
  2. Deploy the paid plan
  3. Import the configuration into the new deployment

See Upgrading Plans for the full workflow.

Pricing

What do the plans cost?

PlanPriceSubscriptionsItems
TrialFree (14 days)15200
Professional$499/month302,000
Enterprise$1,499/monthUnlimitedUnlimited

Professional and Enterprise plans are purchased through the Azure Marketplace and billed to your Azure subscription.

What's the difference between Professional and Enterprise?

Professional and Enterprise have the same feature set, with two differences:

  1. Scale limits: Enterprise has unlimited subscriptions and items; Professional is limited to 30 subscriptions and 2,000 items.
  2. Network isolation: Enterprise includes Private Endpoints, VNet integration, AMPLS (Azure Monitor Private Link Scope), and private DNS zones. Professional uses public Azure endpoints (protected by Entra ID authentication).

Is there an SLA?

Professional and Enterprise plans include a 99.5% availability SLA. Trial deployments have no SLA.

Security

Can VaultGuard360 read my secret values?

No. VaultGuard360 uses the Key Vault Reader role, which does not include value-retrieval permissions. The application only lists metadata: item names and expiration dates. It cannot read secret values, certificate contents, private keys, or key material — this is a hard constraint enforced by Azure's permission model.

Does the publisher have access to my environment?

No. The publisher (Sentinel Vault Systems) has zero access to your managed resource group — no Contributor role, no JIT (Just-In-Time) access, no standing permissions of any kind. This is configured as "No access" in the Azure Marketplace Partner Center.

The publisher cannot view, query, modify, or delete any resources in your deployment. Your deployment is completely isolated.

Does VaultGuard360 send any data to the publisher?

No. There are no telemetry calls, license checks, or analytics calls to the publisher. All data stays within your Azure tenant. The only outbound traffic from VaultGuard360 is the alert notifications (email, webhooks) that you configure — sent to destinations you choose.

What happens if VaultGuard360 is compromised?

Blast radius is limited to read-only metadata. The managed identity cannot read secret values, modify resources, or escalate privileges. An attacker could access item names and expiration dates — not the secrets themselves.

Where are my credentials stored?

Integration credentials (webhook secrets, SMTP passwords) are stored encrypted in Azure Table Storage within your managed resource group. They are never returned in API responses and are excluded from the configuration export.

Data Residency

Where is my data stored?

All data is stored in Azure Table Storage within your managed resource group, in the Azure region you select during deployment. The publisher does not host or replicate your data.

Can I choose my Azure region?

Yes. You select the Azure region during the deployment wizard. All data (Table Storage, Log Analytics, Application Insights) is deployed to the region you choose.

What data does VaultGuard360 collect?

VaultGuard360 collects only metadata — never secret values or cryptographic material:

DataSensitivity
Item names and expiry datesLow–Medium
Vault names, subscription IDsLow
Admin email addresses (user-configured)PII
Scan timestamps and countsLow

Does VaultGuard360 comply with GDPR?

VaultGuard360 supports your GDPR compliance posture. Key data handling characteristics:

  • Data minimization (Art. 5(1)(c)): Only metadata is collected; secret values are never accessed
  • Data residency (Art. 44–49): Data stays in your chosen Azure region
  • Records of processing (Art. 30): Audit logs document all data access
  • Security of processing (Art. 32): Encryption at rest (AES-256) and in transit (TLS 1.2+)

VaultGuard360 does not hold independent GDPR certifications. Compliance decisions are your responsibility.

Technical Questions

Does VaultGuard360 support Private Endpoints?

Yes, on the Enterprise tier. Enterprise deployments include:

  • Private Endpoint for the Function App (inbound access restricted to VNet)
  • Private Endpoint for Table Storage (public network access disabled)
  • AMPLS (Azure Monitor Private Link Scope) for Log Analytics and App Insights
  • Full VNet integration for outbound traffic
  • 6 private DNS zones

Which Key Vault authorization model is supported?

VaultGuard360 requires Key Vaults to use RBAC authorization (not legacy access policies). RBAC authorization is the modern, recommended model for Azure Key Vault.

Can I restrict which subscriptions VaultGuard360 monitors?

Yes. Use team routing to control which subscriptions are monitored and where alerts are sent. You can also control access at the RBAC level — only assign the Key Vault Reader role on the subscriptions you want VaultGuard360 to scan.

Does VaultGuard360 support on-premises Active Directory?

Yes, if your on-premises AD is synced to Entra ID via Entra Connect. Users sign in with their synced identity. The dashboard authentication flow is handled by Entra ID, not VaultGuard360 directly.

What Azure regions are supported?

VaultGuard360 can be deployed to any Azure region that supports Azure Functions, Table Storage, Azure Communication Services, and Log Analytics. Region availability depends on Azure service availability in your chosen region.

Support

How do I get support?

Email support@sentinelvaultsystems.com with:

  • Your Azure subscription ID
  • The Function App name and resource group
  • A description of the issue
  • Output from /api/health and /api/permission-status if applicable

What is the response time for support requests?

Professional and Enterprise customers receive priority support response. Trial users are supported on a best-effort basis.