Compliance Program
We invest in the standards that overlap with most other standards. SOC 2 covers the control environment. CSA STAR makes that posture publicly verifiable. HECVAT covers the higher-education-specific questions. From there, we map to whatever framework you have to file against. Reviewed 2026-05-06.
Frameworks at a glance
Where we have a current attestation, we say so. We do not claim certifications we do not hold. If your questionnaire references a framework not on this list, we will answer it from the SOC 2 evidence we already maintain.
| Framework | Standard | Status | Access |
|---|---|---|---|
| SOC 2 Type II | AICPA SSAE 18 / TSP section 100A | Examined annually since 2022 | Under Bonterms Mutual NDA |
| CSA STAR Level 1 | CAIQ Lite, subset of CCM v4.1 | Six services in the public registry | Public, no NDA |
| HECVAT Full | EDUCAUSE Higher Education Community Vendor Assessment Toolkit | Current version | Under Bonterms Mutual NDA |
CSA STAR Level 1
The Cloud Security Alliance Security, Trust, Assurance, and Risk (STAR) Registry is the public, no-NDA way to review our compliance posture. The Level 1 self-assessment is a CAIQ Lite questionnaire mapped to a subset of the CCM v4.1 control framework. It is the right place to start early-stage diligence.
View on cloudsecurityalliance.orgSOC 2 Type II
Examined annually by Hancock Askew & Co, LLP since 2022. The report covers Security, Availability, Confidentiality, and Processing Integrity. Available to customers and serious prospects under the Bonterms Mutual NDA, which we publish in advance so your legal team can review it before any conversation begins.
Request the SOC 2 reportHECVAT, for colleges and universities
The Higher Education Community Vendor Assessment Toolkit (HECVAT) is the standardized security questionnaire used by colleges and universities to evaluate cloud vendors. We maintain a current HECVAT Full and share it with higher-ed prospects under the same Bonterms Mutual NDA we use for SOC 2. If you need the HECVAT Lite or a specific section answered for a single product, tell us in the request and we will tailor what we send.
Per-product compliance pages
Each product publishes its own /compliance page with the CSA STAR registry entry, supported standards, and any product-specific evidence. Use these for product-scoped procurement reviews.
- AutoSPF SPF flattening and management
- DMARC Report DMARC RUA aggregation and reporting
- Phishing Protection Inbound phishing and malware filtering
- Outbound SMTP Transactional and bulk SMTP relay
- Tenant Migration Microsoft 365 tenant-to-tenant migration
- Alumni Forwarding Lifetime email forwarding for alumni programs
- Mail Flow Monitoring Synthetic delivery probes and uptime
- NuReply Cold email outreach service
- InboxIssue Email deliverability testing
What we do not currently offer
We say what we are. We also say what we are not. If a regulatory regime requires a posture we do not hold, that is the most useful thing we can tell you up front.
- HIPAA Business Associate, not by default. If your use case requires a Business Associate Agreement, contact us before deployment.
- FedRAMP authorization, not held. We do not currently offer FedRAMP-authorized cloud services.
- PCI DSS Level 1 in mail bodies, not supported. Cardholder data must not be transmitted in mail bodies through services not specifically provisioned for that data class.
- ISO 27001 standalone certification, not held. SOC 2 covers an overlapping control set, and we will answer ISO-mapped questions in your security questionnaire from our existing evidence.
Need a framework we did not list?
Most security questionnaires map to controls we already document. Send us the form and we will return what we have.
Request documents