FAQ / Security & data

Does our data leave our Microsoft 365 tenant?

No. Documents, metadata, and audit logs all live inside your SharePoint libraries, which are inside your M365 tenant. The only exception is when DocuSign is enabled — documents transit DocuSign for the signing ceremony and return immediately.

The architecture

docs365.ai is a layer on top of SharePoint Online. It doesn’t move documents to our servers. It doesn’t cache them. It doesn’t back them up to a different cloud. Your documents live in SharePoint inside your M365 tenant, governed by the tenant’s security, compliance, and data-residency policies.

What we see and don’t see

Our service accounts need appropriate permissions in your tenant to operate — typically scoped to the document libraries under governance. Our engineering team doesn’t have unilateral access to your document content. Customer content access happens only when a customer explicitly requests troubleshooting support, with logs of the session.

The DocuSign exception

When the DocuSign integration is used for PAdES signing, the document transits DocuSign briefly for the signing ceremony — signer authentication, signature application — and returns to SharePoint as the authoritative version. DocuSign is not the archive. Its role is the signing ceremony only.

For customers with strict data-residency or data-sovereignty requirements, DocuSign EU region is the default for EU tenants. Customers who cannot use DocuSign at all can turn off the integration; standard approval with audit-log evidence handles workflows that don’t require cryptographic signatures.

What this means for compliance

GDPR data-residency (EU Data Boundary), HIPAA storage requirements, and most sector-specific residency rules are satisfied structurally rather than configurably. The assertion “data stays in our tenant” is an architectural property, not a policy statement that could be violated.

See the Microsoft 365 as a compliance platform guide for the full argument and how Microsoft’s attestations apply.

Related features

Audit log

Every action, every approval, every version — captured against a named user, accessible in 30 seconds.

Deeper context

Compliance · Tier A

GDPR

Compliance · Tier B

HIPAA

More in Security & data

?

Do you have access to our documents?

Our service accounts have scoped access to the libraries under governance — necessary for the integration to function. Our engineering team does not have unilateral content access; support-session access is logged when customers explicitly request troubleshooting.

?

Are you HIPAA-certified or ISO 27001-certified?

We don't position the product itself as HIPAA-certified. Microsoft signs a HIPAA BAA covering M365 tenants, and our layer inherits that posture. ISO 27001 certification at the vendor level is in progress; in the meantime, Microsoft's ISO 27001 covers the substrate.

?

What sub-processors do you use?

Microsoft (M365 as the primary substrate, covered by your existing relationship with Microsoft) and DocuSign when customers enable the integration. We maintain the current list as part of our DPA.

Question not on this list?

A 30-minute assessment is usually the fastest way to get a specific answer to a specific question about your organization's profile.

Book a free assessment or see all FAQs