switchboard
switchboard

Privacy Policy

Last updated 7 June 2026

This policy explains what personal data Switchboard collects, why, and what rights you have. It is written for the UK GDPR and the Data Protection Act 2018.

1. Who is responsible for your data

Switchboard (tools.sam.web.tr) is operated by Sam Webster, an individual based in the United Kingdom, who is the data controller. For any privacy question or to exercise your rights, contact privacy@sam.web.tr.

Where you are a technician using the internal workspace to provide services to a customer, that customer (or your employer) is generally the controller of the customer data you work with, and we act as a processor or sub-processor for that activity. For that processing we will enter into a written data processing agreement meeting the requirements of Article 28 UK GDPR; an organisation can request one by contacting us at the address above. This policy covers the data we handle in our own right.

2. The two surfaces, and what each collects

Public tools (no sign-in)

You can use the public diagnostics tools without an account. We do not ask who you are and we do not run advertising or third-party analytics trackers. When you use a tool:

  • What you type is processed to give you a result.For tools that query external systems, the value you enter (such as a domain, IP address, URL or hostname) is forwarded to the relevant third-party service listed in section 6 so it can respond. Don’t paste personal or confidential data you aren’t entitled to share.
  • We don’t store your tool inputs on our servers beyond the transient processing needed to return a result and ordinary, short-lived platform request logs kept by our host for security and reliability.
  • Preferences stay in your browser.Settings such as theme, the Core/Everything view, favourites, recents and what you last had open in a tool are saved in your browser’s local storage. They are not sent to us and you can clear them via your browser at any time.

Internal workspace (Microsoft sign-in)

When you sign in, we process:

  • Account / directory data from Microsoft Entra ID— your object identifier, email address, display name and any role/group claim used to determine your access level. A user record is created on your first sign-in.
  • Organisation data— the Entra tenant identifier and display name of an enrolled organisation, and who completed enrolment.
  • A session cookie (msp_toolkit_session) — a signed token holding your identifier, email, name and role, set HttpOnly and SameSite=Lax, Secure in production, and valid for 12 hours so the Service knows you’re signed in.
  • An audit log— for administrative and security-relevant actions we record a timestamp, who acted (user reference and email), what action was taken on what target, related metadata, and the IP address and browser user-agent of the request. This log is append-only.

3. Why we process it, and our lawful bases

  • To run the public tools and return the results you ask for — legitimate interests (providing a useful, working tool you have chosen to use).
  • To authenticate you and control access to the internal workspace — legitimate interests and, where applicable, performance of a contract with your organisation.
  • To keep the Service secure— rate-limiting, abuse prevention and the audit log — legitimate interests in protecting the Service and its users, and, where relevant, compliance with a legal obligation and accountability requirements.
  • To operate, debug and improve the Servicelegitimate interests.

The session cookie is strictly necessary to provide the signed-in service, so it does not require consent. We do not use non-essential cookies.

We rely on legitimate interests for much of the above. We have weighed those interests against your rights and freedoms, and you can object to that processing at any time— see section 10.

4. What we don't do

  • We don’t sell your personal data.
  • We don’t use it for advertising or run advertising trackers.
  • We don’t build marketing profiles or carry out automated decision-making that produces legal or similarly significant effects about you.
  • We don’t use artificial intelligence or large-language-model services to process your data — the tools run on deterministic logic and the public data sources listed in section 6. If that ever changes, we will update this policy and the sub-processor list before launching any such feature.

5. Cookies and local storage

We use one strictly-necessary cookie, msp_toolkit_session, described in section 2, plus a short-lived transaction cookie during the sign-in handshake. We use your browser’s local storage to remember preferences (theme, view, favourites, recents and recent tool inputs); that data stays on your device. There are no analytics or advertising cookies.

6. Who we share data with (sub-processors and third parties)

We share personal data only with the providers needed to run the Service, and with the public diagnostic services you invoke when you use a tool:

RecipientRoleWhen data flows
VercelHosting and content delivery (United States)All traffic. Processes request metadata (including IP address) in platform logs.
NeonManaged PostgreSQL databaseInternal workspace only. Stores accounts, organisations and the audit log.
Microsoft (Entra ID / Microsoft 365)Identity provider for single sign-onSign-in to the internal workspace. We receive your directory profile (see below).
Public DNS resolvers — Cloudflare, Google, AdGuard, NextDNSDoH resolution for the DNS / propagation / SPF toolsWhen you run those tools, the name you enter is sent to the resolver(s).
rdap.org and registry/registrar RDAP serversWHOIS / RDAP lookupsWhen you run a WHOIS/RDAP lookup, the domain or IP you enter is queried.
NVD (NIST) and CISAVulnerability and known-exploited-vulnerability dataBacking the CVE feed and dashboard. We send query terms, not your identity.

We keep this list current. If we add or replace a sub-processor, we will update this page and, where we act as a processor for an organisation, take reasonable steps to notify it in advance so it has the opportunity to object.

We may also disclose data where required by law, to enforce our Terms of Service, or to protect the rights, safety and security of the Operator, our users or the public.

7. International transfers

Some of our providers and the public services above are based outside the UK, including in the United States. Where personal data is transferred outside the UK, we rely on an appropriate safeguard recognised under UK data-protection law — such as UK adequacy regulations or the International Data Transfer Agreement / Addendum to the EU Standard Contractual Clauses — or another lawful transfer mechanism.

8. How long we keep it

  • Public tool inputs: not retained by us beyond the moment we process your request; transient platform request logs are kept only briefly for security and reliability.
  • Session cookie: up to 12 hours, then it expires; it is cleared when you sign out.
  • Account and organisation records:kept while the account or organisation is active, and deleted within 12 months of the account being closed or access being withdrawn — unless we need specific information for longer to meet a legal obligation or to establish, exercise or defend a legal claim.
  • Audit log (including IP address and user-agent):a tamper-evident security record — append-only by design, so entries cannot be edited or selectively deleted and are retained for the life of the log. We consider indefinite retention here necessary and proportionate: the log captures only security- and administration-relevant actions (not general browsing), and exists to detect and investigate misuse and to meet our security and accountability obligations. We review periodically whether keeping older entries remains justified. Because of this design, audit entries may persist even where other data about you is erased, to the extent permitted or required by law.

9. How we protect it

The Service is served over HTTPS. The session cookie is signed, HttpOnly and (in production) Secure. Sign-in uses your organisation’s Microsoft single sign-on, and the audit log is append-only at the database level so records cannot be tampered with. We apply access controls and use reputable hosting and database providers. No system is perfectly secure, but we take reasonable measures to protect your data.

10. Your rights

Under UK data-protection law you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased in certain circumstances;
  • object to processing based on our legitimate interests — if you do, we will stop unless we have compelling legitimate grounds that override your rights, or need to continue to establish or defend a legal claim;
  • restrict our processing in certain circumstances;
  • data portability where applicable;
  • withdraw consent where we rely on it (we generally do not).

To exercise any of these, email privacy@sam.web.tr. We may need to verify your identity first. Some rights have exceptions — for example, security audit records may be exempt from erasure. If you sign in through your organisation, you may also want to contact it, as it may be the controller for that data.

If you’re unhappy with how we’ve handled your data you can complain to the UK Information Commissioner's Office (ICO) (ico.org.uk), though we’d appreciate the chance to put things right first.

11. Children

The Service is a professional tool intended for adults. It is not directed at children and we do not knowingly collect personal data from anyone under 18.

12. Changes to this policy

We may update this policy from time to time. The “last updated” date at the top shows when it last changed; significant changes will be reflected here. Please check back periodically.

13. Contact

Questions about this policy or your data? Email privacy@sam.web.tr.