FAQ / Security & data

Do you have access to our documents?

Our service accounts have scoped access to the libraries under governance — necessary for the integration to function. Our engineering team does not have unilateral content access; support-session access is logged when customers explicitly request troubleshooting.

Service-account access

For the product to manage approval flows, log audit events, and run expiration reminders, our service accounts need specific permissions inside your tenant. These are scoped to the document libraries you bring under the governance layer — we don’t need or request access to libraries outside that scope.

The exact permission scope is documented during implementation and reviewed by your IT and security teams. Customers can (and some do) audit service-account activity through Microsoft 365 audit log, which captures every action our service accounts take in their tenant.

Engineering access

Our engineering team does not have unilateral access to customer content. We don’t read documents for training purposes, marketing analysis, or any non-troubleshooting use.

When a customer explicitly requests support on a specific issue — “this approval isn’t routing correctly for document X” — a support session can be established, logged, time-bound, and limited to the specific documents under investigation. The access is revoked when the session ends. The customer sees what was accessed and when in the Microsoft 365 audit log.

What customers sometimes ask that we can’t provide

  • Access to your tenant without your permission. We can’t. The authentication model doesn’t permit it.
  • Copies of your documents outside your tenant. We don’t retain copies.
  • Content analysis for AI/ML model training. No. Customer content isn’t used for training.

Auditor-facing answer

For audits where “does the vendor have access to our data?” is a compliance question, the honest answer is: our service accounts have scoped operational access; our team has no unilateral content access; support access is logged and customer-initiated. The Microsoft 365 audit log is the evidence layer.

Related features

Audit log

Every action, every approval, every version — captured against a named user, accessible in 30 seconds.

Deeper context

Compliance · Tier A

GDPR

Compliance · Tier A

ISO 27001

More in Security & data

?

Does our data leave our Microsoft 365 tenant?

No. Documents, metadata, and audit logs all live inside your SharePoint libraries, which are inside your M365 tenant. The only exception is when DocuSign is enabled — documents transit DocuSign for the signing ceremony and return immediately.

?

Are you HIPAA-certified or ISO 27001-certified?

We don't position the product itself as HIPAA-certified. Microsoft signs a HIPAA BAA covering M365 tenants, and our layer inherits that posture. ISO 27001 certification at the vendor level is in progress; in the meantime, Microsoft's ISO 27001 covers the substrate.

?

What sub-processors do you use?

Microsoft (M365 as the primary substrate, covered by your existing relationship with Microsoft) and DocuSign when customers enable the integration. We maintain the current list as part of our DPA.

Question not on this list?

A 30-minute assessment is usually the fastest way to get a specific answer to a specific question about your organization's profile.

Book a free assessment or see all FAQs