Trust center / Security posture
Security posture
The architecture, the controls we inherit, and the scope we own. Precise enough for your vendor-risk assessment; short enough to actually read.
Architecture
The shape of the system
docs365.ai Document Management is a governance layer on top of SharePoint Online. Your documents live in SharePoint libraries inside your Microsoft 365 tenant. Identity comes from Microsoft Entra. Versioning uses SharePoint's native engine. Our layer adds the discipline — templates, approval workflows, audit logs, expiration reminders, archival — without moving data out of your tenant.
The practical consequence: we don't operate a data center. Your documents are stored by Microsoft in the region your M365 tenant is provisioned in, under Microsoft's physical security, encryption-at-rest, redundancy, and backup. Our service accounts interact with your tenant via the Microsoft Graph API and SharePoint APIs; there is no separate database where customer content lives.
Controls
Who owns which control
| Control domain | Microsoft 365 (inherited) | docs365.ai layer (ours) | Your tenant (you) |
|---|---|---|---|
| Physical data-center security | ✓ Microsoft operates | — | — |
| Encryption at rest | ✓ Microsoft — SharePoint platform | — | — |
| Encryption in transit | ✓ TLS everywhere | ✓ TLS on all API calls | — |
| Identity + authentication | ✓ Microsoft Entra | Inherits Entra tokens | MFA, conditional access, lifecycle policies |
| Access control | SharePoint permission model | Scoped service-account access | You configure who sees what |
| Audit logging | Microsoft 365 Audit Log | Per-document lifecycle audit log | Retention policy, review cadence |
| DLP / content inspection | Microsoft Purview DLP | — | You configure tenant-wide policies |
| Incident response | Microsoft — platform incidents | 24h notification for our layer | Tenant-level IR owned by you |
| Backup + redundancy | Microsoft — SharePoint platform | — | Optional Purview or 3rd-party backup |
Microsoft attestations
What your tenant already carries
Because documents live in SharePoint inside your M365 tenant, the attestations Microsoft maintains on the platform flow through to docs365.ai-governed documents. A partial list (the full portfolio is published at Microsoft's Service Trust Portal):
Microsoft maintains and renews these attestations on an annual basis. Current status is always at servicetrust.microsoft.com.
Our layer
The controls we own at the vendor level
Secure development lifecycle
Code review on every change. Dependency scanning. SAST/DAST on the build pipeline. Threat modeling on significant feature additions.
Least-privilege service accounts
Service-account permissions scoped to the libraries under governance. Cross-tenant access isolated. Principle-of-least-privilege enforced at the API level.
Internal ISMS
Operational ISMS built on ISO 27001 control set. External ISO 27001 certification is on the vendor-level roadmap; internal audit is active today.
Incident response
24-hour customer notification for any security incident affecting our layer. Published incident-response procedure. Post-incident review shared with affected customers.
Employee security posture
Background checks on team members with customer-tenant access. Annual security-awareness training. MFA on all production access.
No customer-content training
Customer document content is not used for product training, marketing analysis, or AI/ML model training. Ever. This is a contractual commitment, not a policy we could quietly change.
Shared responsibility
What we don't own — honestly
A lot of the security questions that come up in vendor-risk assessments sit with you rather than with us. Not because we don't care about them — because your tenant is your tenant.
MFA enforcement on your users
Your Microsoft Entra tenant enforces MFA — or doesn't. We inherit whatever you configure. Every approval event in our audit log is only as strong as the Entra session it came from.
Conditional access policies
Location-based restrictions, device-trust requirements, risk-based sign-in — all yours to configure at the Entra level.
Tenant-level DLP
Microsoft Purview DLP policies that prevent exfiltration of sensitive content live at the tenant level. We inherit them for governed documents.
Offboarding discipline
Deprovisioning a user in Entra removes their access to everything — our layer included. Your IT team owns the offboarding process; we inherit the consequence.
Security questionnaire on its way?
Send it over. Most vendor-risk questionnaires (SIG, CAIQ, custom) take less than a business day to return. A 30-minute call beforehand usually makes the written responses sharper.