Last Published February 4, 2019

Privacy Policy

You are trusting us with your data and information when you use our cloud services. This is a big responsibility, and we work hard to protect the information and data we collect. This privacy policy should answer any questions you may have around how we process and handle your information and data.

Information that RecordPoint collects

The Records365 cloud service that RecordPoint operates offers records management capabilities across a variety of content repositories such as SharePoint Online, OneDrive for Business, Box and others.

Through Records365, RecordPoint collects two types of data; metadata and binary content.

What is metadata?

Metadata is information about information. It is the additional information that is captured on-top of the actual documents & files that reside in the content repositories that we manage. Examples of this are things like the title, author, created & last modification dates and times of the content. Often content repositories allow users and administrators to define additional pieces of metadata that should be captured with different types of content. Examples of this are capturing the monetary value of a contract document or capturing the date that an HR file is closed. This enriches the content repository and typically allows users to search and browse using the additional pieces of metadata.

What is binary content?

Binary content is the actual documents and files that live in the content repositories that we manage. Examples of this are Word documents, Excel spreadsheets, images and any other content that you put into your content repositories.

As a result, RecordPoint collects a broad spectrum of data depending on what is kept in the metadata of your content and the actual content itself. Some examples are:

  • Financial documents.
  • Policy & procedure documents.
  • Client & employee contracts.
  • Human resource documents and files.
  • Client information.

In addition, RecordPoint collects summary information about how you are using our cloud service. This summary information may include:

  • Storage consumed on our backend systems.
  • The Number of records under management.
  • The Number of items configured in your file plan.
  • The Number of rules configured in our rules engine.
  • Login frequency of end-users accessing our portal.

Why RecordPoint collects data

RecordPoint collects data solely for the purposes of providing our records management service to our clients. This means that the metadata and binary content collected is stored for the sole purpose of ensuring that you are compliant with records keeping standards and regulations that apply to you. As an example, a user deletes content, such as a Word document, out of a content repository that is being managed by Records365. The metadata of that document and the document itself is retained within Records365 according to the retention schedules and policies that apply to your business.

Summary information, such as storage consumption and record counts, are collected for operating and continually improving the service we provide to you. These metrics help us in the following ways:

  • Maintain & improve our services to ensure that our cloud service is ready to grow with your business.
  • Measure performance of our service to ensure you are getting the best experience possible.
  • Develop new services to improve your everyday experience and interactions with our cloud service.

Sharing your information

We do not share your data and information with companies, organizations or individuals outside of RecordPoint, except for the following cases:

  • For Service Improvements – we may provide access to your data to our trusted business partners, based on our instructions and in compliance with our internal security policies and procedures. It is important to note that your data never leaves our production environments in this case.

Keeping your information secure

RecordPoint’s Records365 cloud service is built and operated with security in mind. RecordPoint has several technical and organizational controls and measures in place to protect and secure the information and data that we collect. We work hard to protect you and RecordPoint from unauthorized access, alteration, disclosure or destruction of information we hold.

Microsoft Azure provides the cloud compute platform on which Records365 operates. It is compliant with several widely accepted security and privacy standards, such as ISO27001 and SOC 2. As a result, Azure provides a secure foundation which RecordPoint leverages to deliver Records365. You can find out more about Microsoft Azure security certifications and compliance by visiting the Azure Trust Center.

RecordPoint also holds a SOC 2 Type 2 attestation report. We are committed to renewing this attestation on an annual basis with an independent auditor. SOC 2 provides a standard set of criteria and trust principles that govern how cloud service providers like RecordPoint should handle your information and data. Specifically, our attestation report covers the following three trust principles:

  • Security: The system is protected against unauthorized access.
  • Availability: The system is available for operation and use as committed or agreed.
  • Confidentiality: Information designated as confidential is protected as committed and agreed.

Here are some of the key things that we do at an organizational & technical level.

Organizational Controls

  • Our employees are subject to background & reference checks
  • All our personnel undergo security awareness training as part of the onboarding process and annually thereafter.
  • We have developed and adhere to formal security policies and procedures that are distributed to our employees when they join RecordPoint. We also ask our employees to reaffirm their understanding of these policies and procedures on an annual basis.
  • We have developed and adhere to formal incident response policies which cover topics like how to handle security and data breaches.
  • Changes made to production environments are reviewed by a change control board which assesses and approves changes. This ensures that all changes we make are sound from a risk, quality and security perspective.

Technical Controls

  • We only grant access to production environments to a small subset of authorized personnel that operate and maintain our cloud service.
  • Data moving to and from our production systems is encrypted whilst in transit.
  • Data at rest is encrypted (paid option).
  • We perform regular external vulnerability scans to ensure that we are not susceptible to malicious attacks or exploits.
  • We perform penetration testing (through a 3rd party auditor) on an annual basis to ensure that the services we provide are secure.
  • We review perimeter security, such as firewalls, on a regular basis to ensure that our environments remain locked down.
  • We employ intrusion detection and prevention systems that alert us if there is unusual activity in our production environments.
  • When accessing production environments, our employees are required to authenticate via encrypted logical access points.
  • We review production environments on a regular basis to ensure only authorized RecordPoint personnel have access to operate and maintain our services.

All the above controls are audited by a 3rd party as part of our annual SOC 2 Type 2 audit. The results of this audit can be made available upon request by contacting trust@recordpoint.com.

Exporting & deleting your information

RecordPoint offers limited capability when it comes to exporting and deleting the metadata and binary content that we have collected from the content repositories that we manage. The following options are available to export and delete metadata and associated binary content.

Erasing Information

You can purge binary content in your Records365 service by performing a disposal of records. This purges all binary content associated with the records being disposed. We only allow you to dispose records once they are due for disposal based on the disposition instructions that have been applied.

For example, if an end-user creates a document in a content repository that Records365 manages, then the following occurs:

  • Records365 captures a record of the document containing things like author and title.
  • Records365 captures the actual document itself – the “binary content”.
  • A category and retention schedule will be applied to the record. For example, the document could be a “Major Contract” and must, therefore, be kept for 7 years.

Once the 7 years have elapsed the record can be disposed, purging the associated binary content from our service.

Please note, the metadata cannot be deleted as it represents the certificate of destruction that RecordPoint keeps for your compliance purposes.

Exporting Information

You can export and transfer data that Records365 has collected from your content repositories. This allows you to copy the metadata and binary content captured to a storage location that you control.


If you have any questions or queries regarding exporting and deleting data by Records365, then please contact trust@recordpoint.com.