Convince your CTO, CSO or IT security officer
Everything your security and IT team needs to know to approve KeePass Pro. Enterprise-grade encryption, scoped access, and full compliance.
How to convince your CTO, CSO, or IT security officer to choose KeePass Pro
KeePass Pro is a fully integrated password manager built for Microsoft Teams. It enables secure storage, management, and sharing of credentials directly within the Teams interface, while meeting the highest standards of data protection and compliance.
Enterprise-grade security
- AES-256 encryption: Industry-standard protection ensures passwords are only accessible to authorized users.
- Zero access model: KeePass Pro never stores or sees your passwords. All data resides in your Microsoft 365 tenant.
- Microsoft OAuth + Azure AD integration: Enforces corporate identity access, no separate logins required.
- GDPR-compliant hosting: All data is stored securely in your organization’s SharePoint, within the Microsoft cloud, fully aligned with European and HIPAA regulations.
Native Microsoft Teams integration
KeePass Pro is fully integrated with Microsoft Teams: no extensions, no external tools, no extra logins. You can add shared vaults as channel tabs and access personal vaults directly from the Teams sidebar. Each vault is a secure password database file (KDBX) that is stored in your organization's SharePoint, ensuring compliance and control within your Microsoft 365 environment.
Access to a vault is protected by a master key (a password, a key file, or both), meaning that only the users who hold this master key can unlock and view the stored passwords. Even SharePoint administrators or IT staff cannot access the contents of the vault without this key. It's like placing all your sensitive credentials in a locked box stored securely in your own environment, with the assurance that only those who know the combination can open it.
Microsoft Graph permissions
KeePass Pro uses Microsoft Graph with only the necessary scopes to provide secure functionality while respecting user privacy. Here's a breakdown of the requested scopes:
| Scope | Description | Justification | Admin Consent |
|---|---|---|---|
User.Read | Retrieve the properties and relationships of user object. | Allows KeePass Pro to read user information and to display it in the UI. | No |
Files.ReadWrite.All | Read and write file data on OneDrive. | Read and write the KDBX file in user's SharePoint / OneDrive. | No |
email | Access the user's primary email address. | Used to identify the user via the email claim. | No |
openid | Used to sign in with OpenID Connect. | Standard for identity authentication. | No |
offline_access | Access resources on behalf of the user for an extended time. | Allows KeePass Pro to receive refresh tokens and maintain access as older tokens expire. | No |
profile | Access basic information about the user. | Used to enrich the user interface and identify users. | No |
Architecture and flow diagram
Below is a visual representation of how data flows securely through KeePass Pro. All interactions are encrypted, and no data ever leaves your Microsoft 365 environment.
Data management practices
Through the implementation of its different features, KeePass Pro accesses, processes, and stores several types of data. Here's how each is handled:
| Data | Accessed | Cached | Stored | Notes |
|---|---|---|---|---|
| User profiles | Accessed and updated after each login. Stored as long as the organization is active. | |||
| KeePass Configuration | Accessed and updated after tab creation. Stored as long as the organization is active. | |||
| KeePass KDBX | KDBX file never transits through Witivio infrastructure. It remains between the app and SharePoint. | |||
| User data | Includes AAD ID and UPN. Stored as long as the organization is active. | |||
| Teams channel | Name and ID accessed. No cache. Stored as long as the organization is active. | |||
| Teams conversations | No access, cache, or storage. | |||
| Teams files | No access, cache, or storage. |
Built to meet IT and security team standards
- ✅ Zero-trust architecture: No passwords ever transit through external systems. All vaults remain within your Microsoft 365 tenant
- ✅ Microsoft-native: Built on Microsoft Graph and Azure AD for seamless integration and authentication
- ✅ No added infrastructure: KeePass Pro runs entirely inside Teams. No additional servers or services to maintain
- ✅ Granular access control: Role-based permissions per vault, entry, or user group
- ✅ Compliance-ready: Full documentation and auditability via the Trust Center
Template to contact your security or IT team
Use this message to share KeePass Pro with your IT/security team. It summarizes key details to help with fast evaluation:
Hi [Name],
We’re evaluating KeePass Pro, a secure password manager natively integrated in Microsoft Teams. It’s fully GDPR-compliant, does not require external accounts, and stores everything in our Microsoft 365 tenant.
Product page: https://teams-pro.com/keepass-pro
Security docs: https://docs.teams-pro.com/architecture-security/keepass-pro
Architecture diagram: available on Trust Center
Can you take a quick look and let me know if you're OK to proceed with testing?
Thanks!
KeePass Pro is the secure, compliant, and Microsoft-native password management solution your teams will actually use. No browser extensions. No account silos. Just enterprise-grade security inside Microsoft Teams.
👉 Visit the Trust Center or try KeePass Pro in Teams today.