Security & data sovereignty
The most important security control in AccessPoint isn't something we do — it's where it runs.
Your tenant. Your data. We never touch it.
AccessPoint installs entirely inside your own Microsoft 365 and Azure tenant. Every request, document, assessment, incident, and audit record lives in your environment and never leaves it. The publisher has no runtime access to your data — there is no vendor cloud to breach, and no cross-border transfer to manage. You own and control the environment it runs in, including the Azure resources — billed to you directly by Microsoft (typically around $175/month), with no vendor markup.
Security posture
AccessPoint is built on the identity, encryption, and access controls your organization already runs — and hardened by default.
Microsoft Entra ID authentication
No new passwords or app-specific accounts. Users sign in with your existing Microsoft Entra ID; your MFA and Conditional Access policies apply in full.
Role-based access & a PII firewall
Server-side role-based access control, plus a PII filter that walls custodians and contributors off from requestor and data-subject identity.
Hash-chained audit ledger
Every action across every module is written to an append-only, hash-chained ledger with integrity verification, exportable as court-ready evidence.
Hardened by default
TLS 1.3, Entra-only database authentication, and FTPS and basic authentication disabled on the Azure backend from the first deployment.
Verified deploy artifacts
The deployment script verifies the published SHA-256 of every artifact and aborts on a mismatch — an integrity check on the supply chain, in your control.
Governed by your own security tools
Because AccessPoint runs in your tenant, Microsoft Defender for Cloud, Sentinel, and Purview monitor, audit, and govern it like any other workload — no separate security tooling to buy or bolt on.
Aligned to the standards your program answers to
AccessPoint's architecture maps to the frameworks public-sector access and privacy offices are measured against. The full technical detail is in the architecture documentation and the government security controls guide.
ITSG-33
Security control mapping for Government of Canada IT systems.
GC Cloud Guardrails
Canadian data residency and cloud-security guardrails, deployed in your own subscription.
GDPR Article 30
Records of Processing (ROPA) built into the platform for EU obligations.
ISO 31000
The privacy risk register follows the ISO 31000 risk-management approach.
Backed by Microsoft
AccessPoint is published by a Microsoft Partner and reviewed and tested by Microsoft before listing on the Microsoft commercial marketplace. You buy and pay for it through your existing Microsoft billing relationship — no new vendor to onboard, and no separate procurement cycle.
What about SOC 2 or ISO 27001?
Those certifications attest to how a vendor protects data it holds in its own cloud. AccessPoint holds none of your data — it runs in your tenant, and we have no access. That assurance is one your own Microsoft 365 and Azure environment already gives you directly, so a vendor-hosting certification simply doesn't apply here.
Evaluate it in your own tenant
The surest security review is your own. Deploy AccessPoint into your environment and see exactly where everything runs.
Start Free Trial