Data Privacy & Access Control

The Equation platform enforces access control and data privacy through infrastructure-level policies, secure API routing, and team-specific configurations.

This section explains how data exposure is minimized and how authentication and authorization are handled.

🔐 Access Enforcement

• All APIs are deployed behind Azure API Management (APIM).

• Backend services (such as Azure Functions or Web Apps) must whitelist APIM IPs, preventing public exposure.

• APIM enforces:

  • Entra ID authentication
  • Token validation
  • Rate limiting and logging

Refer to the Authentication section for details on how access is managed.

🔄 Stateless by Default

• Most Equation APIs are stateless: they perform calculations and return results without storing user data.
• This supports repeatable, side-effect-free computation workflows.

🗃️ Clients That Store Data

Some Equation clients provide data persistence features, including:

• WaterFuser:

  • Project and model management using Speckle
  • Version control and collaboration features (e.g. comments)

These clients will have authorization defined independently of the API Platform, typically in the client itself or through integrated services like Speckle.

🔐 Per-App Authorization

In cases where APIs are stateful or expose sensitive operations:

• Apps may implement their own user and permission models

• Common patterns:

  • App-specific user accounts
  • Role-based access in app or similar