Advisors & compliance pros — build your own governance practice on Bylaw
Become a Specialist
BylawEvidence
What we do Overview How it works Why Bylaw Frameworks The firm
Who we serve Overview Healthcare Financial services Insurance Professional services
Where we govern Overview Salesforce Microsoft 365 Google Workspace AWS & Azure Okta & Entra ID Your product Platforms Trust & data
More Resources Proof & evidence The firm
Become a Specialist Talk to a Bylaw Specialist
Trust & data handling

We never hold your data. Here is what that means, precisely.

“We take security seriously” is a sentence. This page is the specifics: what we collect, what we refuse to collect, and how you stay in control — written plainly enough to forward to your security team.

The boundary

Evidence crosses. Data never does.

Every connection we make to your environment is built around one distinction: proof that a control ran is not the data the control protects. The proof — a status, a timestamp, a hash — is what we collect. The content underneath it stays where it lives.

  • We collect: control statuses, timestamps, configuration states, completion records, and integrity hashes.
  • We refuse: customer records, messages, files, personal information, credentials, and business content of any kind.
  • Access is read-only and scoped to the minimum each control check requires — revocable by you at any time.
Why it matters

Every copy of your data is a liability you fund.

When a compliance vendor ingests your data, three things grow at once: your breach surface, your vendor-due-diligence burden, and the list of places your customers’ information lives. The tool meant to prove you protect data becomes another place your data sits. Our design removes that trade entirely — scrutiny of us never becomes exposure of you.

surface

No second copy to breach.

Evidence records contain proof of operation, not content. A worst case for us never becomes a data breach for your customers.

diligence

A shorter vendor review.

Your security team evaluates a firm that holds statuses and hashes — not another processor of your customer data with a BAA and a sub-processor list to chase.

alignment

Incentives that point one way.

We sell proof, not data products. There is no version of our business that gets better by collecting more of what’s yours.

Framework coverage

Governed to the frameworks that govern you.

We map controls and collect evidence against the frameworks under which our clients are scrutinized. Certification and attestation remain the independent work of auditors and certification bodies — our job is to make their question easy to answer.

SOC 2ISO 27001HIPAAGDPREU AI ActNIST AI RMF
For your security team

Send us the hard questions.

We answer security reviews the way we answer audits — from a record, in plain language, quickly.

Talk to a Bylaw Specialist