Start here: the Technology Alignment Review — a structured look at how well your IT actually supports your business. Book yours
Ault Cyber PartnersStrategic IT & Security

Data Custodianship Assessment & Remediation

You can't protect data you can't find — or that everyone can touch.

A structured mapping of where your sensitive data actually lives, who can access it, how long it's kept, and how it's protected — followed by hands-on remediation of the ownership, permission, and retention gaps the mapping reveals. Built on deep experience governing data in legal and insurance environments, where custodianship is existential.

Map My Data All Services

Why it matters

Data sprawl is the risk nobody owns — until something goes wrong.

Years of growth leave a familiar mess: client files duplicated across shares, departed employees' folders nobody dares delete, “everyone” permissions granted during a crunch and never revoked, and sensitive data scattered through email, SaaS apps, and personal drives. No one decided this. It just accumulated.

It stays invisible until it isn't: a breach where you can't tell clients what was exposed, a litigation hold you can't reliably execute, a privacy request you can't fulfill, or an insurance questionnaire asking how you govern sensitive data — with no honest answer available.

This engagement does both halves: the assessment that maps the reality, and the remediation that fixes it — ownership assigned, permissions tightened, retention enforced, and protection applied where the data actually lives.

Especially valuable if…

  • Nobody can say with confidence where all the sensitive data is
  • Permissions have accumulated for years without review
  • Client, regulatory, or privacy obligations (CCPA and beyond) apply to your data
  • Retention exists as a policy document but not as practice
  • Your MSP holds the backups — and you've never verified you could take your data and leave
  • A breach, audit, litigation hold, or AI rollout would expose the sprawl

The MSP question

Who really holds your data — you, or your provider?

When an MSP runs your environment, your data often lives inside their world: backups stored under their licenses in their tenant, file platforms tied to their agreements, admin credentials they control. That arrangement works fine — right up until it doesn't.

If your MSP went insolvent tomorrow, was acquired, suffered its own breach, or locked your accounts during a billing dispute — could you reach your data? Could you take it and leave?

Custodianship means being able to answer yes, with evidence. We verify the ownership and portability of your data as part of every engagement: who legally owns the backup platform and its contents, whether copies exist outside the provider's control, what the contract says about data return and offboarding, and whether any of it has ever actually been tested. The goal isn't distrust of your MSP — it's making sure your business never depends on a vendor relationship staying healthy forever.

Questions every client should be able to answer

  • Do we own the backup platform and its data — or does our MSP own it on our behalf?
  • Are backups stored under the MSP's licenses or tenant, where their departure means our loss?
  • Does at least one copy of our data exist entirely outside the provider's control?
  • Do we hold break-glass admin credentials to our own systems?
  • Does our contract guarantee data return, in a usable format, on a defined timeline?
  • Has switching providers — or simply exporting everything — ever been tested?

What we examine

From discovery to defensible governance.

Discovery

Data Mapping

Locating sensitive data across file shares, email, M365/Google, SaaS apps, and the unofficial places it actually accumulates.

Ownership

Custodianship Model

Assigning a named owner to every significant data set — because data without an owner is data without protection.

Access

Permission Remediation

Tightening access sprawl to least privilege: who can touch what, reviewed and corrected, with a process to keep it that way.

Retention

Retention & Disposal

Defensible retention schedules actually enforced — keeping what obligations require and disposing of what liability says you shouldn't keep.

Protection

Classification & DLP

Labeling sensitive data and applying loss-prevention controls so it can't quietly walk out the door.

Readiness

Obligation Alignment

Mapping practices to your actual obligations — client contracts, privacy law, insurance requirements — and to safe AI adoption, which inherits every permission mistake you have.

What you receive

A governed data estate, not just a report about an ungoverned one.

  1. Sensitive data map

    Where your important data lives, what it is, and who currently has access — the document every incident response begins with.

  2. Remediated permissions

    Access actually corrected to least privilege — not just recommended — with before/after evidence.

  3. Working retention program

    Schedules implemented and enforced in your systems, with a defensible disposal process.

  4. MSP exit readiness

    Verified data ownership, an independent copy of what matters, documented offboarding rights, and a tested portability path — so changing providers is a decision, not a hostage negotiation.

  5. Governance model

    Named owners, review cadences, and a lightweight process that keeps custodianship from decaying again.

Let's connect

Good custodianship is quiet — until the day it's everything.

A breach notification, a litigation hold, a client audit: all of them start with “where is the data and who could touch it?” Have the answer ready.

Book a Discovery Call

Related services

Cybersecurity AssessmentIT Health CheckCyber Insurance PrepFractional CTO / CISO