Security & Compliance
Your CUI never touches our servers. We don’t have any.
GovConvert’s security model isn’t a promise about how carefully we’ll hold your data. It’s an architecture in which we never hold it at all.
Where your data lives
One diagram, the whole model. Everything sensitive sits inside the boundary you already control and already assess.
Your boundary · your Azure subscription
Your Azure tenant
- GovConvert App Service + PostgreSQL + Key Vault
- Your AI models (e.g. Azure OpenAI) — prompts stay in-tenant, in-memory only
- Audit log → your Microsoft Sentinel
Your M365 GCC High
- CUI lives here, in the SharePoint library you already secured — GovConvert links to it, never copies it out
- Entra ID SSO — your MFA and Conditional Access apply
the only thing that ever crosses: license key · version number · random install ID
GovConvert (the vendor)
No credentials. No network path. No read access. Our publisher service can’t see your CUI, your documents, or your records — by construction, not by policy.
The controls, concretely
Deploys into your tenant
The full stack — App Service, PostgreSQL, Key Vault, Storage — provisions inside your own Azure subscription and resource group. Commercial, Azure Government, or alongside your M365 GCC High environment.
CUI is never stored in GovConvert
Sensitive documents stay in the M365 GCC High SharePoint library you already secured and assessed. GovConvert links to them; it does not copy them into its own database.
Tamper-evident audit trail
A SHA-256 hash-chain audit log is on by default — every record chained to the last, so silent edits are detectable — and it ships straight to Microsoft Sentinel, your SIEM.
Granular RBAC: 105 permissions
105 permissions across 9 categories, mapped role by role, so each person sees only what their job needs. Partner and guest roles keep outsiders scoped tight.
Your SSO, your Conditional Access
Sign-in is Microsoft 365 SSO. Your existing MFA, Conditional Access, and device policies apply automatically — GovConvert never becomes a side door around them.
Encryption, inherited from your cloud
Data is encrypted in transit and at rest by the Azure and M365 controls you already run — the same boundary your assessor already reviewed.
Updates you pull, never pushed
New versions announce themselves with a changelog. Your admin applies them in a maintenance window, with a verified signature and an automatic database backup first.
CMMC documentation built in
The deployment ships with copy-ready CMMC documentation for the system itself — the paragraphs your SSP needs about how GovConvert is architected, ready to adapt.
What GovConvert does for your CMMC Level 2 path — and what it can’t
No software makes you CMMC compliant, and you should be suspicious of any vendor who says otherwise. Compliance belongs to your organization. Here’s the honest split.
How the architecture helps
Most tools add an external service to your assessment scope. GovConvert doesn’t — it runs inside the boundary you already assess, which is the biggest favor a tool can do you.
- Access Control (AC): RBAC with 105 permissions, M365 SSO, partner/guest scoping
- Audit & Accountability (AU): Hash-chain audit log on by default, shipped to Sentinel
- Identification & Authentication (IA): Your Entra ID, MFA, and Conditional Access — no separate credential store
- System & Communications Protection (SC): In-tenant deployment; CUI never transits or rests outside your boundary
What stays yours
The parts no vendor can sell you — and anyone who claims otherwise is writing checks your assessor will bounce.
- Physical protection, personnel security, and awareness training
- Your organizational policies and procedures
- The rest of your environment — endpoints, network, M365 configuration
- The assessment itself: your assessor, your evidence, your scope
CMMC Phase 2 becomes mandatory in new DoD solicitations on November 10, 2026
That’s your deadline, not our sales tactic. Keeping CUI inside your existing boundary — instead of spreading it across another vendor’s cloud — is one of the few moves that makes the assessment smaller instead of bigger.
Full transparency: what does leave
From your deployment to us
Exactly three things: your license key, your version number, and a random install ID — enough to validate your subscription and offer you updates. Never CUI, never documents, never records.
Subprocessors
Stripe processes billing — your billing contact and payment method, nothing from your tenant. Microsoft is your own cloud provider, under your own agreements, not ours. The marketing site you’re reading uses Calendly (demo booking) and Google Analytics (with consent); neither touches the product.
Building your SSP?
We’ll send you a security overview of the GovConvert deployment written for inclusion in your System Security Plan — architecture, data flows, and the shared-responsibility split, in assessor-friendly language.
Request the security overviewBring your security team to the demo
Seriously — bring them. The architecture conversation is the one we most like having, and it’s 30 minutes on your data, not a slide deck.