TRUST
Findable does not collect or centralize your data on a vendor-controlled SaaS backend. The platform deploys into your Azure tenant and reads from your existing SharePoint, OneDrive, and Microsoft 365 surfaces. That means your organization’s existing certifications, conditional access policies, data residency selections, audit logging, and DLP controls already apply to the documents Findable retrieves and grounds responses on.
This deployment model is intentional. It moves the compliance perimeter to where customers already have evidence, controls, and auditors. Files that users create in Findable are stored in their own personal OneDrive — so that content inherits Microsoft Purview governance too: sensitivity labels, DLP, retention, and eDiscovery, with nothing living in a Findable-controlled store.
By keeping content in SharePoint and OneDrive and identity in Entra ID, Findable customers can rely on Microsoft’s broad certification posture and native compliance tooling, including:
Findable respects the access decisions made in those systems. If a user can’t open a file in SharePoint, Findable cannot surface it to them in a chat or recommendation.
In parallel, Findable is building out a formal compliance program for the application itself:
The application is built against a documented internal control baseline that covers encryption in transit and at rest, least-privilege service identities, centralized audit logging, dependency and secret scanning, and regular code review. For a deeper look at the architecture and identity model, see the security page.
Findable engages independent third parties for application penetration testing and runs continuous automated dependency and container scanning. Critical findings are tracked to closure under documented SLAs.
Because Findable deploys onto your own Microsoft 365 and Azure stack and runs inside your tenant, no Findable-controlled subprocessor touches your data. Data only leaves your tenant when your admin explicitly enables an LLM provider or connector — those third parties are listed in your settings, and you control them. A list of the corporate tools Findable uses for its own operations is available on request under NDA.
Customers and prospects can request the current Findable security overview, subprocessor list, draft SOC 2 readiness summary, and a BAA template by emailing trust@findable.net. Mature artifacts will be published in a self-serve trust center as audits complete.