PathixDataverse Forensics
Privacy

What we receive. What we never touch.

Last updated June 2026 · v1.0

Summary

Pathix is a self-hosted forensics platform for Microsoft Dynamics 365 and the Dataverse. It runs entirely inside your Azure subscription. Three commitments shape the rest of this page:

  • Your data stays in your tenant. Pathix L.L.C. (the vendor) does not host, receive, or have standing access to your Dataverse data or to the results Pathix produces.
  • Pathix processes metadata, not your business records. It reads how your environment is configured, never the contents of your business records. This is enforced architecturally, not just by policy.
  • Pathix does store limited personal data about administrative principals(user display names, UPNs) to model the security graph. That data lives in your own tenant. We state this here rather than claiming “no personal data.”

Where your data lives

Pathix deploys via a Bicep template into your own Azure subscription. Scan results, the parsed dependency/security graph, and any AI-generated narration are stored in your Azure SQL database in your tenant. Data residency is determined entirely by where you deploy. The vendor introduces no additional region or residency surface.

By default the vendor has no remote access to a running Pathix instance and receives no telemetry unless you opt in. When you need support, you generate and send a diagnostics bundle that you control.

What Pathix processes

Pathix's Dataverse access runs through a single application user holding a read-only, least-privileged custom role (Pathix Scanner), scoped to a fixed set of system tables. No write/create/delete/append/share privileges. The wrapper around the Dataverse SDK exposes only metadata-shaped methods; generic record retrieval against business tables is not implemented anywhere in the codebase.

Pathix does process:

  • Schema (tables, columns, relationships)
  • Customization components (plugins, workflows, flows, business rules, form scripts, ribbons, forms, canvas apps)
  • Security model (roles, privileges, role assignments, principals, teams)
  • Administrative principal identifiers (see next section)

Pathix does not process:

  • Business record contents (account names, contact emails, opportunity amounts, case fields, custom-entity values)
  • Audit-log before/after values
  • Embedded literal values from workflow / flow execution traces
  • Any value extracted from a customer record

Pathix parses customization source (plugin IL, workflow XAML, flow JSON, form JavaScript, FetchXML, PowerFx) in memory during a scan and discards the raw bodies. Nothing customer-authored is persisted to the database. End-to-end, no exceptions.

Personal data (stated accurately)

To model who can do what, Pathix stores identifiers for administrative principals in your environment (principally user display names and User Principal Names (UPNs) from the systemuser table), plus team membership and role assignments.

  • This personal data is about administrators / principals in the security model, not your customers' or end-users' business records.
  • It is stored in your own Azure SQL, inside your tenant, governed by your Azure RBAC. Pathix L.L.C. does not receive or hold it.
  • Because the data resides in your tenant, you remain its controller. Retention, access, and data-subject requests are exercised through your own Azure controls. Pathix L.L.C.'s position is that of a software supplier, not a data processor, because it never receives the data.

On compliance frameworks: because Pathix holds no business record data, obligations that attach to record content (HIPAA, PCI, and GDPR data-subject rights against record contents) do not attach to Pathix. This is not a claim that no privacy law applies. The principal personal data above is personal data under GDPR/UK-GDPR and similar regimes, and remains in your control within your tenant. We deliberately do not say “Pathix processes no personal data.”

AI features

AI in Pathix is optional. The deterministic core works with zero AI.

  • Bring your own key. You supply your own AI provider key (Azure OpenAI, Anthropic, OpenAI). Prompts and responses flow between your instance and the provider you chose, under your agreement with that provider. Pathix L.L.C. never proxies, resells, or sees these calls.
  • AI never invents facts. AI narrates the graph and may contribute evidence-coupled, clearly-labeled candidate relationships. It never asserts a deterministic dependency or finding.
  • Plugin summarization (decompilation): opt-in, gated, off by default. One AI feature decompiles plugin assemblies (including third-party / ISV assemblies) to narrate their behavior. It is off by default and enabled per-environment only after the customer reviews the cost and confirms, at opt-in, that decompilation is permitted under their vendor agreements. The customer marks any third-party publishers to exclude. The decompilation runs in your tenant with your AI key; raw bytes are discarded and only the behavioral summary is stored. It is available at launch, off by default, and enabled only at your per-environment opt-in.

Data recipients / sub-processors

Because Pathix is self-hosted, there is no Pathix L.L.C.-operated cloud in the data path. The vendor does not aggregate metadata across customers and does not receive a copy of your scan results. Data leaves your tenant only in these bounded cases, all under your control:

  1. Your chosen AI provider: only if you enable AI (BYOK), under your agreement with that provider.
  2. Anonymous product telemetry: only if you opt in (next section). A strictly bounded typed event set; never environment metadata or record data.
  3. License validation: a tiny entitlement payload, and only if you use online validation rather than the offline default.

Because Pathix runs entirely in your tenant, Pathix L.L.C. engages no sub-processors that handle your environment data: there is no vendor data plane to sub-process. The only third party that can receive data is the AI provider you choose and contract with directly.

Telemetry & licensing pings (three things, separated)

  • License validation: mandatory, minimal: license token / entitlement, a tenant identifier, version, timestamp. No usage data, no customer data, no findings data. The default is offline: a local cryptographic signature check with no network call. Online validation is optional plumbing for renewal hints. A lapsed license soft-degrades, never hard-bricks: it blocks new scans and the MCP server but never gates access to data already scanned.
  • Anonymous usage telemetry: not collected in Pathix 1.0. Planned for a post-1.0 release. When the feature ships, the policy will be opt-in mandatory (an administrator affirmatively chooses at install; no implicit collection, no default-on toggle), a single transparent typed event catalog sourced from product code, and it will never collect table/column/role/plugin/workflow names (even hashed), record or user counts at finer than coarse buckets, customer identifiers beyond the license ID, findings content, or any string originating from customer data. The unsafe-collection list is committed to now so it is durable when the feature ships.
  • Crash and support diagnostics (1.0): customer-initiated. Pathix 1.0 does not transmit crash diagnostics automatically. When a problem warrants support engagement, the customer generates a local log export (a zip of relevant logs and scan-phase events) and emails it to help@pathix.app. The customer chooses what to send, when, and reviews the content before sending. By design Pathix logs component identifiers and error types, never raw content from a failed parse, so the export respects the metadata-only boundary by construction. A post-1.0 release is expected to add an opt-in, default-OFF sanitized crash-report flow with “review before send.”

Cookies & tracking on this website

The pathix.app marketing site uses two privacy-respecting analytics tools: Vercel Web Analytics for aggregate pageview metrics (route, referrer, browser / device class, country), and PostHog for product analytics (which pages and links people use, so we can improve the site).

Both are configured to keep your footprint minimal. PostHog is reverse-proxied through pathix.app, so no third-party tracker domain loads in your browser. We set no cookies (an anonymous analytics ID is kept in your browser's local storage to tell sessions apart; it is not linked to your identity). We do not record or replay your session, and we do not build a person profile for anonymous visitors.

No advertising trackers are loaded; no data is sent to Google Analytics, Meta, LinkedIn, or any similar service. Vercel and PostHog act as our website-analytics processors and receive only this anonymized usage data, never your Dynamics environment data.

Your controls

  • Access is governed by your Azure / Entra controls; the database by your Azure RBAC.
  • Retention & deletion: you control the database; removing data or decommissioning the instance is entirely under your control.
  • License lapse: never deletes or hard-locks already-scanned data; it blocks new scans and the MCP server only. (Relevant to the common reviewer question: what happens to our data if we stop paying?)

Contact

Privacy questions: privacy@pathix.app.

This page states Pathix's privacy and data-handling commitment in full. The metadata-only boundary it describes is permanent and not subject to revision.

Pathix

Forensics for Dynamics 365 and the Dataverse.

See it on sample data →
USE CASES
PRODUCT
COMPANY
© 2026 Pathix · self-hosted · metadata-onlyNot affiliated with Microsoft. Dynamics 365, Dataverse, and Power Platform are trademarks of Microsoft Corporation.