Security & Trust

Impact Agent is designed to work inside your Microsoft 365 environment, using Microsoft Graph to access content you already have permission to access and saving outputs back to your OneDrive.

Overview

Impact Agent turns Microsoft 365 work evidence into manager-ready updates. The goal is to minimize friction while respecting your existing Microsoft 365 security and compliance model.

What data does it access?

Impact Agent only accesses what’s required to generate your updates, and only within:

• the permissions granted during consent/admin approval

• content the user already has access to in Microsoft 365

You can configure what it focuses on (time range, projects, keywords, stakeholders) to reduce noise.

Does it copy tenant data into a separate system?

No. Impact Agent does not create a secondary repository of your mailbox or Teams history. It works with Microsoft 365 content via Graph and stores the generated updates plus minimal app state needed to organize them.

Where is data stored?

Generated outputs are saved to the user’s OneDrive (typically in an app folder). That means you can move, rename, delete, and share outputs using standard Microsoft 365 controls.

Permissions

Impact Agent uses Microsoft Graph permissions and can only access what those permissions allow. Admins can review and approve permissions using standard Microsoft 365 governance processes.

Principle: least privilege — start small and expand only if needed for your use case.

Review before sharing

Impact Agent is built around “draft, then review.” You can edit the wording, remove anything you don’t want included, and decide whether/how to share.

Auditability & traceability

Where possible, Impact Agent keeps traceability to help you understand what informed an update (for example, links back to the original email/meeting/file). This supports trust and reduces the risk of “hallucinated” claims.