Security / Overview (printable)

Use your browser's “Save as PDF” option to export this page as a clean 2-pager for your IT team.

Zentriq — Security Overview

Zentriq for Business Central

Two products, separately installable. PunchOut: Chrome extension + BC mini app, captures e-commerce carts as Requisition Worksheet lines. Agent: BC extension, in-product AI chat. SaaS, multi-tenant, GDPR + Swiss nFADP compliant.

1 · Architecture — PunchOut (Chrome → BC direct)

┌──────────────┐               ┌──────────────┐
│  User in     │ ────HTTPS───▶ │  E-commerce  │
│  Chrome      │               │  site DOM    │
└──────┬───────┘               └──────────────┘
       │ cart data stays in browser
       │
       ├── HTTPS ──▶ Zentriq backend (EU) — credit check & debit only
       │              (no cart contents)
       │
       └── HTTPS ──▶ Your BC tenant — OAuth2 PKCE, user's own token
                     (Requisition Worksheet lines inserted directly)

2 · Architecture — Agent (BC → Zentriq → Anthropic)

┌──────────────┐  HTTPS  ┌──────────────────┐
│  BC user     │ ──────▶ │ Zentriq backend  │
│  (browser)   │         │ (Vercel EU)      │
└──────────────┘         └────────┬─────────┘
                                  │
                  ┌───────────────┼──────────────┐
                  ▼               ▼              ▼
          ┌──────────────┐ ┌─────────────┐ ┌──────────────┐
          │ Anthropic    │ │ BC API      │ │ Neon         │
          │ Claude (US)  │ │ (your       │ │ Postgres EU  │
          │ ZERO RETAIN  │ │  tenant)    │ │ (encrypted)  │
          └──────────────┘ └─────────────┘ └──────────────┘

3 · What Zentriq Accesses

PunchOut — does access

Cart DOM (in-browser, read only). Microsoft account email + tenant ID. In BC: read Item / Item Template / Vendor / Req. Wksh. Name; insert on Requisition Line. Capture metadata (timestamp, vendor host, line count).

PunchOut — does NOT access

Cart contents on Zentriq servers (Chrome → BC direct). Other tenants. Anything outside the Requisition Worksheet path. No AI inference involved.

Agent — does access

Microsoft account email + tenant ID. BC data fetched in real time to answer queries (scoped by the user's BC permissions). Chat history (stored so conversations can resume).

Agent — does NOT access

Full BC database export. Credentials or passwords. Data from other tenants. Your data is never used to train AI models (Anthropic zero-retention).

4 · Encryption (both products)

In transit (end-to-end)	TLS 1.3 (min TLS 1.2)
Database at rest	AES-256 (Neon managed)
BC refresh tokens at rest	AES-256-GCM application-layer, key rotated quarterly
File attachments	AES-256 (Vercel Blob)

5 · Microsoft Entra ID — permissions requested

openid / profile / email — sign-in
Dynamics 365 Business Central API — Financials.ReadWrite.All — read / write BC data on the user's behalf, scoped by their BC permission set
offline_access — refresh token (Agent only; PunchOut uses short-lived access tokens directly from Chrome)

Your BC permissions are the ultimate gate — Zentriq cannot exceed what the user's own BC account is allowed to do. The PunchOut BC permission set (Zentriq Punchout) is least-privilege by design: read Item / Vendor / Req. Wksh. Name; insert Requisition Line. Nothing more.

Zentriq — Security Overview (cont.)

6 · Data Residency

Data	Region	Provider
Database (accounts, billing, Agent chats)	EU (Frankfurt)	Neon
Application runtime	EU (Frankfurt + Paris)	Vercel
Blob storage	EU	Vercel Blob
Error tracking	EU (Frankfurt)	Sentry
AI inference (Agent only)	US (zero retention)	Anthropic
PunchOut cart contents	Never persisted on Zentriq	—
BC data	(your tenant, never relocated)	Microsoft

7 · Retention

Agent conversations — until user deletes or closes account
PunchOut capture history — metadata only (no cart contents), 12 months
Usage + Sentry error logs — 90 days rolling
BC refresh tokens — until disconnect, or 90 days inactivity
Stripe billing records — 7 years (legal obligation)

8 · Operational Controls

Access

Production DB access restricted to 2 staff. MFA everywhere. Every access logged.

Deploys

GitHub → Vercel pipeline. Signed commits. Automated tests before every merge.

Monitoring

Sentry for errors + traces. Uptime probes on /api/health every 60 s.

Incident response

GDPR Art. 33 — 72-hour notification. Post-mortem published once incident is closed.

9 · Subject-Access Rights (GDPR / nFADP)

Export — full JSON export on request (30 days SLA)
Delete — self-service account deletion from the dashboard, cascades all data
Disconnect BC — revoke the BC OAuth token anytime in the dashboard, or uninstall the BC .app; instant effect
Object / restrict — email privacy@zentriqsoftware.com

10 · Certifications

GDPR + Swiss nFADP — compliant
SOC 2 Type II — in progress, expected Q4 2026
ISO 27001 — 2027 roadmap

11 · Contact

Security: security@zentriqsoftware.com · Privacy: privacy@zentriqsoftware.com · General: support@zentriqsoftware.com

Zentriq Software · Switzerland · www.zentriqsoftware.com · Last updated May 2026