FAQ / Security & data

Are you HIPAA-certified or ISO 27001-certified?

We don't position the product itself as HIPAA-certified. Microsoft signs a HIPAA BAA covering M365 tenants, and our layer inherits that posture. ISO 27001 certification at the vendor level is in progress; in the meantime, Microsoft's ISO 27001 covers the substrate.

The honest positioning

Tier B regimes like HIPAA don’t have “certify a product” as the primary compliance mechanism. HIPAA compliance is a program, owned by the covered entity or business associate, with the covered entity bearing responsibility for their posture. A vendor claiming “HIPAA certified product” usually doesn’t survive scrutiny.

What’s actually needed:

  • Microsoft’s HIPAA BAA — covers the M365 substrate. Your tenant is in-scope for the BAA.
  • Your own HIPAA program — your privacy team defines the controls, the BAs, the policies.
  • Our layer providing capabilities — the audit log is the §164.312(b) workforce-activity capability. Your program uses our capability as part of your broader HIPAA posture.

This is the model for every Tier B regime: product provides capabilities, customer’s compliance team owns the program.

ISO 27001

Microsoft’s M365 is ISO 27001 certified. Your tenant inherits that coverage — the substrate is certified.

At the vendor layer (us), ISO 27001 certification is on the roadmap. The internal ISMS is operational; the external audit and certification is a longer-horizon investment. When the vendor-level certification lands, it will be reported on this page.

In the meantime, the compliance question for customers is: does my program pass its audits using this tool? The answer for ISO 27001 programs is generally yes — the audit log, versioning, and approval evidence satisfy clause 7.5 documented-information expectations.

See ISO 27001 compliance and HIPAA compliance for deeper detail on each regime.

Related features

Audit log

Every action, every approval, every version — captured against a named user, accessible in 30 seconds.

Deeper context

Compliance · Tier B

HIPAA

Compliance · Tier A

ISO 27001

More in Security & data

?

Does our data leave our Microsoft 365 tenant?

No. Documents, metadata, and audit logs all live inside your SharePoint libraries, which are inside your M365 tenant. The only exception is when DocuSign is enabled — documents transit DocuSign for the signing ceremony and return immediately.

?

Do you have access to our documents?

Our service accounts have scoped access to the libraries under governance — necessary for the integration to function. Our engineering team does not have unilateral content access; support-session access is logged when customers explicitly request troubleshooting.

?

What sub-processors do you use?

Microsoft (M365 as the primary substrate, covered by your existing relationship with Microsoft) and DocuSign when customers enable the integration. We maintain the current list as part of our DPA.

Question not on this list?

A 30-minute assessment is usually the fastest way to get a specific answer to a specific question about your organization's profile.

Book a free assessment or see all FAQs