Compliance document management on Microsoft 365
ISO 9001, ISO 27001, GDPR, HIPAA, FDA 21 CFR Part 11, SOX, NIS2. Document-management capabilities aligned to the regulations your organization actually faces — inside the Microsoft 365 tenant you already trust.
Two tiers, clearly stated
We position the product honestly against each compliance regime. Some are fully supported end-to-end. Others the product can be used in — as part of the customer's compliance program, without being positioned as a certified or validated solution for that specific regulation.
The distinction matters. It tells your compliance team exactly what to expect from the tool and what remains your team's responsibility.
Tier A — fully supported end-to-end
Built to support the document-control obligations
For these regulatory regimes, the product is designed and built to support the full document-control scope end-to-end. Certification of your program remains between your organization and your auditor; the tool is built for the regime.
ISO 9001
Map your ISO 9001:2015 clause 8.5 obligations to product features — clause by clause.
Read more →ISO 27001
Access-controlled documents and a full audit trail for your ISMS documentation.
Read more →GDPR
Data-minimization-friendly retention, documented lifecycle, and an audit trail you can show the regulator.
Read more →Tier B — can be used in your compliance program
Capabilities customers use — validation remains with you
For these regimes, the product provides general-purpose document-governance capabilities (audit log, versioning, sequential approval, access control, expiration reminders, archive) that customers use as part of their compliance program. It is not positioned as a certified or validated solution for the specific regime.
HIPAA
Controlled access, documented handling, and full audit trail for PHI-adjacent documentation.
Read more →FDA 21 CFR Part 11
Audit trails, controlled approval, and PAdES e-signature for pharma and medical-device documentation.
Read more →SOX
Controlled change, audit-log evidence, and retention for financial-controls documentation.
Read more →NIS2
Document-lifecycle controls for the new EU directive on network and information security.
Read more →What "compliance document management" actually means
Every compliance framework has a document-control component. ISO 9001 requires you to maintain and retain documented information. ISO 27001 requires you to control documented information as evidence of its information security program. GDPR requires a Record of Processing Activities. FDA 21 CFR Part 11 requires audit trails, access controls, and electronic signature integrity for regulated records. HIPAA requires an audit log for ePHI. The specific requirements differ; the underlying infrastructure need is the same: controlled creation, controlled change, controlled approval, controlled access, controlled retention, controlled destruction.
docs365.ai provides that infrastructure inside your Microsoft 365 tenant. The clauses below show exactly which product capability maps to which regulatory obligation — so your compliance team can trace capability to requirement rather than taking marketing claims on faith.
ISO 9001:2015 — Tier A
Clause 7.5 — Documented information
ISO 9001 Clause 7.5 defines three obligations: the organization shall create and update documented information (7.5.2) and control documented information to ensure it is available where needed, adequately protected, distributed, stored, preserved, and retained (7.5.3). Clause 8.5 adds specific requirements for production and service provision documented information.
| Clause | Requirement | Product capability |
|---|---|---|
| 7.5.2 | Identification and description (title, date, author, reference number) | Mandatory metadata fields on every document template; auto-populated document ID |
| 7.5.2 | Format (e.g., language, software version) and media (e.g., paper, electronic) | Template-enforced formatting; PDF/A publication; SharePoint Online storage |
| 7.5.2 | Review and approval for suitability and adequacy | Sequential approval workflow; configurable reviewers/approvers per document type |
| 7.5.3(a) | Available and suitable for use, where and when needed | Role-based access; published documents surfaced to the right audience automatically |
| 7.5.3(b) | Adequately protected (from loss of confidentiality, improper use, loss of integrity) | Azure AD permissions; version history; immutable audit log |
| 7.5.3(b) | Distribution, access, retrieval and use; storage and preservation; control of changes; retention and disposition | Controlled distribution on approval; document lifecycle stages (draft → approved → expired → archived) |
ISO 27001:2022 — Tier A
Clause 7.5 — Documented information
ISO 27001 Clause 7.5 requires documented information to be created, updated, and controlled as evidence of the information security management system (ISMS). Annex A controls add specific requirements: A.5.33 (protection of records), A.5.34 (privacy and protection of PII), A.8.4 (access to source code).
| Clause | Requirement | Product capability |
|---|---|---|
| 7.5.1 | ISMS shall include documented information required by this standard and determined by the organization as necessary | Configurable document types and metadata schemas per ISMS scope |
| 7.5.2 | Creating and updating: identification, format, review and approval | Template creation; mandatory fields; sequential approval with approver designation |
| 7.5.3 | Documented information shall be available and protected from loss of confidentiality, integrity, or availability | Azure AD access control; versioning; retention policies; audit trail for every access event |
| A.5.33 | Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release | Immutable audit log; in-place hold; permission-based access; archive with retention lock |
GDPR — Tier A
Article 5, 24, 30 — Accountability and records of processing
GDPR Article 5(2) establishes the accountability principle: the controller shall be responsible for, and be able to demonstrate compliance with, the data protection principles. Article 30 requires maintaining Records of Processing Activities (RoPA). Article 24 requires implementing appropriate technical and organisational measures.
| Article | Requirement | Product capability |
|---|---|---|
| Art. 5(2) | Controller shall be able to demonstrate compliance with the principles | Immutable audit trail; document lifecycle log; approval records as evidence |
| Art. 30(1) | Maintain a record of processing activities under controller's responsibility in writing, including in electronic form | RoPA maintained as a controlled document with versioning, approval, and audit log |
| Art. 30(4) | Controller shall make the record available to the supervisory authority on request | Export RoPA to PDF/A; access controls allow DPA read-only access if required |
| Art. 32 | Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk | Encryption at rest and in transit (Microsoft 365 platform); access control; audit log; retention |
| Art. 33–34 | Notification of personal data breach to supervisory authority and to data subjects | Breach-notification SOP managed as a controlled document; approval workflow for breach response |
FDA 21 CFR Part 11 — Tier A
§11.10 Controls for closed systems
21 CFR Part 11 applies to electronic records and electronic signatures used in regulated pharmaceutical, biotech, and medical-device operations. §11.10 defines the required controls for closed systems (systems to which access is controlled by persons responsible for the content of electronic records on that system). The product provides capabilities that customers use in their Part 11 programs; CSV validation remains with the customer's QA team.
| §11.10 sub | Requirement | Product capability |
|---|---|---|
| §11.10(d) | Limiting system access to authorized individuals | Azure AD access control; permission sets per document type and lifecycle stage |
| §11.10(e) | Secure, computer-generated, time-stamped audit trails | Immutable SharePoint audit log with UTC timestamps; who viewed, edited, approved |
| §11.10(f) | Operational checks to enforce permitted sequencing of steps and events | Sequential approval workflow; mandatory step gates; no out-of-order progression |
| §11.10(g) | Authority checks to ensure only authorized individuals can electronically sign | Role-based signature authority; PAdES e-signature via DocuSign |
| §11.50 | Signed records must display signer name, date/time, and meaning of the signature | PAdES certificate includes identity and UTC timestamp; signature meaning captured per workflow step |
| §11.70 | Electronic signatures must be linked to their respective records; alterations must be detectable | PAdES embedded in PDF; DocuSign transaction ID in SharePoint metadata; versioning detects post-signature changes |
Frequently asked compliance questions
Does the product come with a compliance certification?
No. We do not ship a pre-certified or pre-validated product. Certification of your compliance program is the relationship between your organization and your certifying body or regulatory authority. The product provides the document-control infrastructure that your program runs on.
We are already on Microsoft 365. Does this replace SharePoint or add to it?
It adds to it. The product is built on SharePoint Online and uses your existing Microsoft 365 tenant. You do not replace SharePoint; you add governed document lifecycle on top of the infrastructure you already operate and trust.
Can one deployment cover multiple regulations simultaneously?
Yes — and this is the most common configuration for regulated industries. A pharma company typically needs ISO 9001 (quality management), ISO 27001 (information security), GDPR (data protection), and FDA 21 CFR Part 11 (electronic records) at the same time. One deployment, one library, one audit log — different document types and metadata schemas per regulatory requirement.
How is the Tier A / Tier B distinction defined?
Tier A means the product is built and tested to support the full document-control scope of the regime — every audit requirement, every approval requirement, every access-control requirement has a corresponding product capability. Tier B means the product provides general document-governance capabilities (versioning, approval, access, retention, audit log) that customers use as part of their compliance program, but the product is not specifically designed or positioned for that regime's unique requirements.
What does an implementation look like?
Implementation typically runs 4–8 weeks. Week 1–2: tenant configuration and document-type design. Week 2–4: template build and workflow configuration. Week 4–6: user acceptance and training. Week 6–8: go-live and first audit cycle. For pharma customers with CSV requirements, IQ/OQ adds 2–4 weeks on top.
Map your compliance needs to the product
Book a free 30-minute assessment. We'll walk through which regulations apply to your organization and produce a tier-by-tier fit analysis.