Security Certifications and Compliance
Q: Do you have any formal compliance attestations such as SOC 2 Type II, ISO 27001, HIPAA, or FedRAMP?
No, we do not currently hold any formal compliance certifications or attestations such as SOC 2 Type II, ISO 27001, HIPAA, or FedRAMP. However, we strictly adhere to Microsoft’s rigorous security and compliance requirements. As a company with small teams, our operations are closely managed and overseen directly by our leadership. This direct involvement ensures strong oversight and agile decision-making regarding security and compliance. At our current scale, we believe that formal certifications would not significantly enhance our security posture beyond the robust practices we already follow in alignment with Microsoft’s standards.
Encryption Key Management
Q: Does your platform support customer-managed encryption keys (e.g., BYOK) via Azure Key Vault?
No, customer-managed encryption keys are not supported.
Data Retention and Deletion
Q: What is your standard data retention period for temporarily stored reminder content?
There is no fixed retention period for temporarily stored reminder content; the data is retained until the user deletes it.
Q: What happens to user settings and data after the license expires?
After the license expires, user settings are preserved for up to 6 months and then permanently deleted.
Q: Can customers request full data deletion, and are there any system-level backups beyond customer control?
Yes, customers can request full data deletion. System-level backups are performed automatically and are managed by Microsoft.
Security Logging and Monitoring
Q: Do you support security monitoring features such as failed login tracking?
Failed login tracking is not possible, as authentication is managed by Microsoft and is not visible to us.
Q: Is SIEM integration supported?
We do not currently support SIEM integration.
Q: Is audit logging for administrative actions available?
Audit logging is managed by the standard Azure system.
Cloud Infrastructure Security Controls
Q: Have you implemented internal security tools such as intrusion detection/prevention (IDS/IPS)?
Intrusion detection and prevention are handled by Microsoft; we do not implement any additional controls.
Q: Do you perform vulnerability scanning or penetration testing?
Vulnerability scanning is performed automatically by Microsoft.
Q: Can you provide supporting documentation for these controls?
Documentation is not available beyond what is provided by Microsoft.
Data Processing Agreement (DPA)
Q: Do you have a standard DPA available for enterprise customers?
No, a standard Data Processing Agreement is not available.
Location of Temporary Data
Q: Is temporarily stored email content restricted to a specific Azure region?
By default, temporarily stored email content is located in North America, but we can store some data in Europe if required by the customer’s tenant region.