Security & Compliance

Your CUI never touches our servers. We don’t have any.

GovConvert’s security model isn’t a promise about how carefully we’ll hold your data. It’s an architecture in which we never hold it at all.

Where your data lives

One diagram, the whole model. Everything sensitive sits inside the boundary you already control and already assess.

Your boundary · your Azure subscription

Your Azure tenant

  • GovConvert App Service + PostgreSQL + Key Vault
  • Your AI models (e.g. Azure OpenAI) — prompts stay in-tenant, in-memory only
  • Audit log → your Microsoft Sentinel

Your M365 GCC High

  • CUI lives here, in the SharePoint library you already secured — GovConvert links to it, never copies it out
  • Entra ID SSO — your MFA and Conditional Access apply

the only thing that ever crosses: license key · version number · random install ID

GovConvert (the vendor)

No credentials. No network path. No read access. Our publisher service can’t see your CUI, your documents, or your records — by construction, not by policy.

The controls, concretely

Deploys into your tenant

The full stack — App Service, PostgreSQL, Key Vault, Storage — provisions inside your own Azure subscription and resource group. Commercial, Azure Government, or alongside your M365 GCC High environment.

CUI is never stored in GovConvert

Sensitive documents stay in the M365 GCC High SharePoint library you already secured and assessed. GovConvert links to them; it does not copy them into its own database.

Tamper-evident audit trail

A SHA-256 hash-chain audit log is on by default — every record chained to the last, so silent edits are detectable — and it ships straight to Microsoft Sentinel, your SIEM.

Granular RBAC: 105 permissions

105 permissions across 9 categories, mapped role by role, so each person sees only what their job needs. Partner and guest roles keep outsiders scoped tight.

Your SSO, your Conditional Access

Sign-in is Microsoft 365 SSO. Your existing MFA, Conditional Access, and device policies apply automatically — GovConvert never becomes a side door around them.

Encryption, inherited from your cloud

Data is encrypted in transit and at rest by the Azure and M365 controls you already run — the same boundary your assessor already reviewed.

Updates you pull, never pushed

New versions announce themselves with a changelog. Your admin applies them in a maintenance window, with a verified signature and an automatic database backup first.

CMMC documentation built in

The deployment ships with copy-ready CMMC documentation for the system itself — the paragraphs your SSP needs about how GovConvert is architected, ready to adapt.

What GovConvert does for your CMMC Level 2 path — and what it can’t

No software makes you CMMC compliant, and you should be suspicious of any vendor who says otherwise. Compliance belongs to your organization. Here’s the honest split.

How the architecture helps

Most tools add an external service to your assessment scope. GovConvert doesn’t — it runs inside the boundary you already assess, which is the biggest favor a tool can do you.

  • Access Control (AC): RBAC with 105 permissions, M365 SSO, partner/guest scoping
  • Audit & Accountability (AU): Hash-chain audit log on by default, shipped to Sentinel
  • Identification & Authentication (IA): Your Entra ID, MFA, and Conditional Access — no separate credential store
  • System & Communications Protection (SC): In-tenant deployment; CUI never transits or rests outside your boundary

What stays yours

The parts no vendor can sell you — and anyone who claims otherwise is writing checks your assessor will bounce.

  • Physical protection, personnel security, and awareness training
  • Your organizational policies and procedures
  • The rest of your environment — endpoints, network, M365 configuration
  • The assessment itself: your assessor, your evidence, your scope

CMMC Phase 2 becomes mandatory in new DoD solicitations on November 10, 2026

That’s your deadline, not our sales tactic. Keeping CUI inside your existing boundary — instead of spreading it across another vendor’s cloud — is one of the few moves that makes the assessment smaller instead of bigger.

Full transparency: what does leave

From your deployment to us

Exactly three things: your license key, your version number, and a random install ID — enough to validate your subscription and offer you updates. Never CUI, never documents, never records.

Subprocessors

Stripe processes billing — your billing contact and payment method, nothing from your tenant. Microsoft is your own cloud provider, under your own agreements, not ours. The marketing site you’re reading uses Calendly (demo booking) and Google Analytics (with consent); neither touches the product.

Building your SSP?

We’ll send you a security overview of the GovConvert deployment written for inclusion in your System Security Plan — architecture, data flows, and the shared-responsibility split, in assessor-friendly language.

Request the security overview

Bring your security team to the demo

Seriously — bring them. The architecture conversation is the one we most like having, and it’s 30 minutes on your data, not a slide deck.