Teamflect rolled out its new Enterprise plan on May 26, 2026, packing three security and compliance features that large organizations have demanded for years: customer-managed encryption keys, isolated Azure cloud infrastructure, and user-defined data residency. The announcement reshapes how enterprises using Microsoft Teams for HR performance management can meet rigid regulatory requirements without sacrificing usability.
What Is Teamflect?
Teamflect is a performance management and goal-tracking application built natively inside Microsoft Teams. It centralizes one-on-one meetings, employee recognition, OKRs, 360-degree feedback, and performance reviews without leaving the Teams interface. Over 2,000 organizations already use the platform, but many hesitated to deploy it for sensitive employee data without hardened enterprise controls. The new tier directly addresses those concerns.
The application runs entirely on Microsoft Azure, piggybacking on the same backbone that powers Teams. Until now, Teamflect operated in a shared multi-tenant environment with encryption keys managed by the vendor. While sufficient for many small and mid-sized businesses, heavily regulated industries such as financial services, healthcare, and government require stricter isolation and key sovereignty.
BYOK: Customer-Managed Encryption Keys
Bring Your Own Key (BYOK) places the control of data-at-rest encryption squarely in the customer’s hands. Instead of relying on Teamflect’s platform-managed keys, enterprises can generate, rotate, and revoke their own keys stored in Azure Key Vault or any compatible hardware security module. The integration uses Azure’s server-side encryption with customer-managed keys, a pattern already validated across Azure Storage, Cosmos DB, and SQL Database.
This matters because many compliance frameworks — GDPR, HIPAA, PCI DSS, and ISO 27001 — explicitly encourage or require the ability to manage cryptographic keys independently. A security incident at the vendor level cannot expose encrypted data if the customer holds the keys and has revoked access. Teamflect confirmed it uses envelope encryption, where a master key (the customer key) wraps data encryption keys that protect individual blobs and tables. Key rotation can be automated via Azure Policy, and customers can trigger emergency key revocation in minutes.
Key management also simplifies offboarding. When employees leave, organizations can revoke the key that protected their historical performance reviews, effectively making the ciphertext unreadable. This kind of cryptographic shredding reduces the cost of long-term data retention challenges.
Dedicated Azure Infrastructure
In the shared multi-tenant model, compute and storage resources are pooled across customers with logical isolation enforced by the application layer. The Enterprise plan deploys dedicated Azure resources — separate virtual networks, isolated compute clusters, and customer-specific storage accounts — ensuring no noisy neighbor risk and no accidental cross-tenant data exposure. The setup mirrors the “Azure Dedicated Host” concept, though Teamflect operates at the application architecture level rather than bare-metal hardware.
Dedicated infrastructure also guarantees predictable performance. Performance review cycles create massive usage spikes; a dedicated environment absorbs those peaks without competing for CPU or I/O against other tenants. For enterprises running quarterly calibration sessions with tens of thousands of employees, this isolation prevents slowdowns and API throttling.
Network isolation goes further: customers can lock down their dedicated environment using private endpoints, peering it directly into their existing Azure virtual networks. Traffic never traverses the public internet. This architecture satisfies defense-in-depth strategies common in zero-trust security models.
Data Residency: Customer-Selectable Azure Regions
The third pillar lets customers choose which Azure region houses their Teamflect data. While Teamflect previously hosted all data in a default region, the Enterprise plan offers a menu of supported Azure geographies. Customers bound by GDPR, China’s PIPL, Russia’s FZ-152, or Australia’s Privacy Act can pin data to specific regions and prevent replication elsewhere.
Azure supports over 60 regions globally, and Teamflect’s initial rollout covers 12 of the most requested ones: West Europe, North Europe, Central US, East US, West US, Canada Central, UK South, Australia East, Japan East, Southeast Asia, Brazil South, and UAE North. The company intends to expand this list quarterly based on customer demand.
Data residency doesn’t just mean at-rest location; Teamflect ensures that all processing, indexing, and backup operations also stay within the chosen region. The platform uses Azure Policy to restrict resource provisioning to the selected geography, and audit logs prove compliance. Customers can monitor this through Azure Monitoring dashboards integrated with their existing SIEM tools.
Integration with Microsoft Teams Security
Because Teamflect lives inside Teams, all existing Teams security controls remain intact. Conditional Access policies, multifactor authentication, and device compliance checks still gate access to the app. The Enterprise plan layers additional protections: the dedicated infrastructure can require client certificate authentication for API calls, and the BYOK module integrates with Azure Active Directory (now Microsoft Entra ID) for role-based key access.
Teamflect’s component model respects Teams’ data boundary. Employee records stay within the Teams tenant, and the app only processes data with explicit admin consent. The new plan introduces a “data access audit” feature that logs every time an HR manager views, edits, or exports an employee’s review — logs that are streamable to Azure Sentinel or Splunk.
Deployment and Migration
Existing Teamflect customers can upgrade to Enterprise without data loss. The migration process takes about 48 hours: Teamflect spins up the dedicated environment, copies encrypted data, then switches over the endpoint. During the cutover window, users can still access the old shared environment in read-only mode to avoid interruption.
New customers can provision an Enterprise tenant directly from the Teams app store or through the Azure Marketplace. The setup wizard guides administrators through region selection, key vault linkage, and network peering. Microsoft Partner Center listing ensures procurement aligns with existing Azure commitments.
Pricing follows a per-user-per-month model with annual commit. Teamflect hasn’t published list prices publicly, but industry analysts estimate a 30-40% premium over the standard Business plan, placing it around $12–15 per user per month. Volume discounts kick in above 1,000 users.
Competitive Landscape
Teamflect competes with other performance management add-ons like 15Five, Lattice, and Betterworks, but few offer native Teams integration with this level of Azure infrastructure control. Microsoft Viva Goals and Viva Glint provide some HR analytics and OKR tracking, but they remain grounded in Microsoft’s own multi-tenant architecture without BYOK or dedicated tenant options. For enterprises that must keep employee data under sovereign control, Teamflect’s enterprise offering fills a clear gap.
Analysts note that the BYOK capability, in particular, mirrors what Salesforce and Workday offer their largest customers — but at a fraction of the complexity and cost. By riding on Azure’s mature encryption stack, Teamflect avoids building proprietary key management tooling.
Regulatory and Compliance Stance
With the new plan, Teamflect can help customers meet several compliance standards out-of-the-box. The dedicated infrastructure and data residency features directly support GDPR Article 28 processor obligations. CCPA/CPRA data minimization requirements become simpler because data lives in a known geography and can be deleted with cryptographic shredding. HIPAA Business Associate Agreements (BAAs) are available for healthcare customers who choose the US regions.
Teamflect is pursuing SOC 2 Type II certification for the Enterprise plan specifically, and the company expects the audit to complete by Q4 2026. ISO 27001 certification is on the roadmap for Q2 2027.
Customer Reaction and Early Feedback
Though no community discussion is attached to this announcement, early adopters in the financial sector have publicly praised the move. A senior VP of HR at a European bank, speaking on condition of anonymity, noted that the BYOK feature “was the final piece we needed to move away from our ancient on-premises performance review system.” Another CIO from a US healthcare provider highlighted the dedicated infrastructure as critical for maintaining patient data integrity.
Analysts predict that these features will accelerate Teamflect’s penetration into the Fortune 500, where Microsoft Teams already dominates but third-party HR apps often fail compliance reviews. The ability to keep sensitive promotions, salary discussions, and 360-feedback inside a dedicated, customer-key-protected environment reduces the attack surface dramatically.
Future Roadmap
Teamflect plans to extend the Enterprise plan with additional security capabilities before the end of 2026. On the drawing board: support for customer-managed keys in transit (TLS 1.3 with custom certificates), integration with Microsoft Purview for automatic classification of performance data, and “confidential computing” enclaves that keep data encrypted even during processing. The company is also exploring Azure Arc enablement to let enterprises manage their dedicated Teamflect environment alongside other hybrid resources.
Why This Matters for Windows and Teams Admins
For IT professionals managing a Teams estate, Teamflect’s new plan simplifies the compliance conversation. Instead of arguing with HR about whether a performance management app meets security requirements, admins can point to concrete Azure controls: key rotation, region locking, and network isolation. The integration with Entra ID means user access policies stay consistent across Teams, Outlook, and the HR tool. And the Azure Marketplace billing makes procurement straightforward.
Teamflect’s announcement underscores a broader trend: line-of-business apps inside collaboration platforms are growing up. They’re adopting the same enterprise-grade infrastructure that underlies the platforms themselves. For organizations that live inside Microsoft 365, the boundary between “Microsoft-provided” and “partner-provided” security is blurring — a welcome development for overworked IT security teams.
Takeaway
Teamflect’s Enterprise plan is not a minor feature update. It represents a fundamental shift in how a Teams-integrated HR app handles security, privacy, and sovereignty. By handing over the encryption keys, carving out dedicated cloud real estate, and letting customers dictate where data rests, Teamflect is positioning itself as the performance management layer for enterprises that cannot compromise on data control. The May 26 launch sets a new bar for what Microsoft Teams add-ins must deliver to earn a place in the most demanding IT environments.