What you're approving, and where your data lives
Before your IT administrator clicks our one-time approval link, this page explains — in plain English — exactly what is created in your Microsoft environment, why, and how you can limit or undo it. SecondBrain Sharp Pricing has passed Microsoft's Teams Store certification review, and our privacy policy, terms, and security overview are published at secondbrain.com.au/legal/.
What lives in YOUR Microsoft environment
- The Teams app itself — installed from the Microsoft Teams Store like any other app.
- One registration entry for our application — visible to your IT team under Entra ID → Enterprise Applications, created when your admin clicks our one-time approval link. It carries exactly two permissions:
- "Sign in and read user profile" — the standard sign-in permission Microsoft prints for virtually every app; basic identity only (name, email).
- "Read mail in all mailboxes" — explained below; restrictable and revocable.
That is everything. We get no user accounts in your tenant, no admin rights, and no access to your files, SharePoint, Teams chats, calendars, or Azure. We cannot send, delete, or alter email. Your admin can revoke the registration at any time in one click.
Why the mail permission exists
Westpac and St.George email a one-time security code to the broker's inbox during portal login. Our automation reads that code via Microsoft's official API to complete the login the broker themselves requested.
- Read-only. Triggered only by the broker's own pricing request.
- The email is not stored — the code is used once and discarded.
- Firms that don't use Westpac or St.George can skip this approval entirely and still use the other seven banks.
Restricting the permission to nominated mailboxes
Your Exchange administrator can restrict the mail permission to only the nominated broker mailboxes with a single PowerShell command (an Exchange application access policy). We provide the instructions as part of onboarding — ask your account contact or email support@secondbrain.com.au.
What lives in OUR environment
The pricing service itself — the "brain" the Teams app talks to — runs in SecondBrain's Microsoft Azure subscription, in the Australia East region. Clients need no Azure of their own.
- Each client firm gets its own dedicated, isolated Azure Key Vault (Microsoft's purpose-built encrypted secret store) holding the bank-portal logins their brokers enter. Credentials are entered through a secure wizard inside Teams — never visible in chat history, never shared between client firms.
- Submission history and a full audit trail of every credential access (who, when, which bank, outcome), retained 7 years in line with Australian financial-records expectations.
Frequently asked questions
Are you logging into our Microsoft account?
No. No accounts, no logins, no admin access. One registration entry, controlled and revocable by you.
Can you read all our email?
The permission technically allows mail reading via Microsoft's API, which is why we show you how to restrict it to nominated broker mailboxes only. In practice it is used solely to fetch bank security codes during a login your broker requested, and the email is never stored.
Can we limit or revoke it?
Yes — restrict to specific mailboxes with one Exchange command; revoke entirely in one click under Enterprise Applications.
Where are our bank passwords kept?
In a dedicated, encrypted Azure Key Vault exclusive to your firm, in Microsoft's Australian data centres.
Do you see our Teams messages?
Only messages sent directly to the bot, routed via Microsoft's bot service. Nothing else.
What if we leave?
Revoke the app in one click; we delete stored credentials on request.
Do all banks need this?
No — only Westpac and St.George use emailed security codes. The other seven banks work with no IT involvement at all.