TRUST

Compliance

Findable is built with the intention of being compliant. Formal audits are in progress; until then, customers inherit the strong baseline that comes with deploying inside their own Microsoft 365 tenant.

SOC 2 — In progressHIPAA — In progressISO 27001 — PlannedInherits M365 controls

Where Findable runs

Findable does not collect or centralize your data on a vendor-controlled SaaS backend. The platform deploys into your Azure tenant and reads from your existing SharePoint, OneDrive, and Microsoft 365 surfaces. That means your organization’s existing certifications, conditional access policies, data residency selections, audit logging, and DLP controls already apply to the documents Findable retrieves and grounds responses on.

This deployment model is intentional. It moves the compliance perimeter to where customers already have evidence, controls, and auditors. Files that users create in Findable are stored in their own personal OneDrive — so that content inherits Microsoft Purview governance too: sensitivity labels, DLP, retention, and eDiscovery, with nothing living in a Findable-controlled store.

What customers inherit from Microsoft 365

By keeping content in SharePoint and OneDrive and identity in Entra ID, Findable customers can rely on Microsoft’s broad certification posture and native compliance tooling, including:

  • SOC 1 / SOC 2 / SOC 3, ISO 27001 / 27017 / 27018, and HIPAA attestations covering the underlying Microsoft 365 services.
  • Microsoft Purview for sensitivity labels, retention policies, data loss prevention, eDiscovery, and audit log search.
  • Entra ID conditional access, MFA, privileged identity management, and sign-in risk policies.
  • Customer Lockbox, Customer Key, and tenant-level data residency selections.

Findable respects the access decisions made in those systems. If a user can’t open a file in SharePoint, Findable cannot surface it to them in a chat or recommendation.

Findable’s own program

In parallel, Findable is building out a formal compliance program for the application itself:

  • SOC 2 Type II — control framework selected, evidence collection in progress, target window with an AICPA-accredited auditor scheduled.
  • HIPAA — administrative, physical, and technical safeguards mapped. Business Associate Agreements (BAAs) available for qualifying customers; please contact us before processing PHI.
  • ISO 27001 — planned once SOC 2 Type II is established.
  • GDPR / CCPA — Findable processes minimal personal data and supports data subject requests through your tenant’s existing tools.

Security baseline

The application is built against a documented internal control baseline that covers encryption in transit and at rest, least-privilege service identities, centralized audit logging, dependency and secret scanning, and regular code review. For a deeper look at the architecture and identity model, see the security page.

Penetration testing and vulnerability management

Findable engages independent third parties for application penetration testing and runs continuous automated dependency and container scanning. Critical findings are tracked to closure under documented SLAs.

Subprocessors

Because Findable deploys onto your own Microsoft 365 and Azure stack and runs inside your tenant, no Findable-controlled subprocessor touches your data. Data only leaves your tenant when your admin explicitly enables an LLM provider or connector — those third parties are listed in your settings, and you control them. A list of the corporate tools Findable uses for its own operations is available on request under NDA.

Requesting documentation

Customers and prospects can request the current Findable security overview, subprocessor list, draft SOC 2 readiness summary, and a BAA template by emailing trust@findable.net. Mature artifacts will be published in a self-serve trust center as audits complete.

Status as of June 16, 2026. This page describes current intent and program status. It is not a representation that any specific certification has been achieved. Contractual commitments are governed by your agreement with Findable.