Boxcurve Unity: Compliance Support
Purpose and scope
This document describes the capabilities of the Boxcurve Unity application that can help your organisation meet its own compliance obligations, and indicates, conservatively, which controls of common frameworks those capabilities can support. It is intended for your compliance officers and internal auditors.
Privacy at a glance
Boxcurve Unity runs entirely inside your own Microsoft 365 tenant, and Boxcurve receives no business or personal data. The only information Boxcurve receives is install and licensing metadata: your tenant identifier (when you install from the marketplace), your environment identifier, and a licence summary (from the application's licensing check). Your projects, tasks, stakeholders, comments and accountability-map data never leave your tenant.
Two points are essential before you read the mappings below:
- Boxcurve Unity is an application your organisation operates inside its own Microsoft 365 tenant. It is not itself a certified service, and this document does not assert that Boxcurve Unity is certified against any framework. The capabilities described here are tools you can use as part of your own compliance programme.
- Responsibility is shared. Boxcurve Unity provides certain technical capabilities. Your organisation remains responsible for configuring them, operating them, defining your policies, and producing and retaining the evidence your auditors require. A responsibility split is stated for every capability and summarised at the end.
Framework requirement wording is not reproduced here. Where a mapping is asserted, only the control identifier is referenced. You should confirm each mapping against the current text of the relevant standard with your own assessor.
Capabilities not evidenced in the application are deliberately omitted rather than implied.
Capabilities provided by Boxcurve Unity
1. Role-based access within the application
Boxcurve Unity ships with a defined set of application roles, Administrator, Operations Manager, Project Manager, Team Manager, and User, and grants different levels of access to each. This lets you align a person's access to their job function and supports separation of duties within the application.
What the application provides: distinct application roles with differentiated permissions, applied to the records the application manages.
What you are responsible for: deciding which individuals receive which role, reviewing those assignments periodically, and removing access when it is no longer required. Assignment and removal of roles is performed by your administrators from within the application's settings.
Platform boundary
User sign-in, multi-factor authentication, and directory-level group membership are handled by Microsoft Entra ID and Power Platform, not by Boxcurve Unity. For identity and access administration at the platform level, see Microsoft's documentation: https://learn.microsoft.com/power-platform/admin/wp-security
2. Automatic change history for tasks
When a task record is created, modified, or deleted, Boxcurve Unity automatically records a change-history entry. Each entry captures who made the change (display name and email), when it was made, and the source of the change. A change-history view inside the application lets authorised users see the recorded changes, including the type and level of each change and the person responsible.
What the application provides: automatic, system-generated change records for task data, viewable within the application.
What you are responsible for: defining how long this history must be retained, reviewing it, and exporting or archiving it where your retention or evidence requirements exceed what is held in the live application.
3. Error logging
The application records operational errors to a dedicated error log, capturing details such as the error message, the module and component involved, the environment, and the user associated with the event. This supports operational monitoring and the investigation of issues.
What the application provides: structured recording of application errors.
What you are responsible for: monitoring the error log, acting on its contents, and integrating it into your own incident and problem-management processes.
4. Task classification, risk scoring, and prioritisation
Tasks in Boxcurve Unity can carry a classification, a priority, and a risk indicator. The risk indicator uses a fixed set of values (5, 10, 15, 20, and 25). This allows work to be categorised and ranked by risk and priority within the application.
What the application provides: fields to classify, prioritise, and assign a risk value to each task, and to record a separate risk score.
What you are responsible for: defining what each classification and risk value means in your context, applying them consistently, and acting on them. The application does not interpret these values for you.
5. Accountability mapping for clear ownership
Boxcurve Unity is built around the accountability map. Tasks are mapped to people and roles, in whichever responsibility format your organisation uses, such as RACI, RASCI, RATSI, DACI, DCI or MOCHA, so that accountability for each item of work is explicit and recorded, across both your projects and your operations. This supports demonstrating clear ownership and accountability for activities.
What the application provides: the ability to assign and record responsibility and accountability for tasks against people and roles.
What you are responsible for: ensuring the assignments reflect your actual organisational responsibilities and keeping them current.
6. Approval and escalation tracking on the accountability map
The accountability map can record approval-related information, including whether an item is approved, who approved it, the approval date, escalation details, and removal-request and removal-approval details.
What the application provides: data fields to record approval, escalation, and removal-approval information against accountability-map items.
What you are responsible for: defining and operating the approval and escalation process itself, and ensuring the recorded information is complete and accurate.
Note
The application provides fields to record this approval and escalation information. The wider business process around them, who must approve, in what order, is defined and operated by your organisation.
7. Comments and contextual record
Comments can be recorded against tasks, capturing the comment text and the identity of the person at the time the comment was made. This provides a contextual record alongside the formal change history.
What the application provides: the ability to attach comments to tasks with attributed authorship.
What you are responsible for: any review or moderation of comment content and its retention.
8. Task packs, documentation links, and scheduling
Tasks can be grouped into task packs and can carry a documentation link, a frequency, a schedule, and references to process documentation. Tasks can also reference a jurisdiction together with the relevant authority and source links held against that jurisdiction.
What the application provides: structures to organise recurring and scheduled work, link tasks to supporting documentation, and associate tasks with a jurisdiction and its authority references.
What you are responsible for: the accuracy and currency of the task-pack content, the linked documentation, and any jurisdiction references; Boxcurve Unity does not maintain regulatory content on your behalf.
9. Managed change and release control for the application itself
Updates to the Boxcurve Unity application are delivered through a controlled application lifecycle. Changes move through development, build, test, user-acceptance, and production stages, and the user-acceptance and production stages require manual approval before a release proceeds. The production application is delivered as a locked (managed) package that can only be changed by deploying a new approved version.
What the application provides: a controlled, gated release process for changes to the application, with approval required before user-acceptance and production deployment.
What you are responsible for: any of your own change-management approvals and records you require around adopting a new version, and retaining the evidence of those approvals.
Indicative framework support
The mappings below are conservative. Each entry references control identifiers only and is asserted only where a capability described above genuinely supports it. Confirm each against the current standard with your assessor. A mapping does not mean Boxcurve Unity satisfies the control on its own, in every case your configuration, operation, and evidence are required.
ISO/IEC 27001:2022 (Annex A)
| Capability | Indicative control reference | Nature of support |
|---|---|---|
| Role-based access within the application (1) | A.5.15, A.5.18 | Supports access control and access-rights management at the application level. Identity, authentication, and directory controls are provided by the underlying Microsoft platforms, not by Boxcurve Unity. |
| Automatic change history (2) | A.8.15 | Provides application-level activity records (who/what/when) for task data. |
| Error logging (3) | A.8.15, A.8.16 | Supports logging and monitoring of application errors. |
| Managed change and release control (9) | A.8.32 | Supports controlled change management for the application, with approval gates. |
| Approval and escalation tracking (6) | A.5.4 | Records management direction/approval against accountability-map items where you operate the process. |
Compliance and certifications, a three-layer responsibility model
This section is for vendor-security reviewers and compliance assessors. It sets out, standard by standard, how compliance responsibility is shared across three layers, and states Boxcurve's own attestation position plainly and conservatively.
Boxcurve Unity runs only as native Microsoft Power Platform configuration inside your tenant: Power Apps, Power Automate cloud flows, and Dataverse tables, columns, security roles and option sets. The application introduces no custom code into your tenant. Specifically, it contains no custom-control (PCF) components, no plug-in or custom .NET assemblies, no custom workflow activities, and no JavaScript or HTML web resources. This is the foundation of the compliance argument below: because the application adds no custom executable surface, it inherits the security boundary, controls and certifications of the underlying Microsoft platform rather than introducing its own.
Compliance for any standard is therefore best read across three layers:
-
Microsoft platform, inherited foundation. Microsoft operates and certifies the underlying cloud services (Power Platform, Dataverse and the Microsoft 365 services Boxcurve Unity connects to). You verify the current scope of Microsoft's certifications and obtain its audit reports yourself, because that scope changes over time. Two Microsoft sources are authoritative:
- Microsoft Service Trust Portal, certificates, audit reports (for example ISO/IEC and SOC reports) and other compliance documentation: https://servicetrust.microsoft.com
- Microsoft Purview Compliance Manager, pre-built control mappings and assessment templates for many standards: https://learn.microsoft.com/purview/compliance-manager This document does not restate how Microsoft's platform controls work; consult those sources for current, authoritative evidence.
-
Boxcurve application, Boxcurve's own responsibility. How the application is designed, built, configured and released on the platform. Boxcurve's attestation position is stated honestly:
- Boxcurve maintains an ISO/IEC 27001 information-security management system that is in progress, it is being established and is not yet independently certified.
- Boxcurve maintains documented secure-development records and operates the no-custom-code posture described above, delivering the application through a gated, approval-controlled release process.
- Boxcurve has not yet obtained an independent penetration-test attestation for the application, and has not yet completed a formal OWASP ASVS assessment.
- Boxcurve does not hold its own ISO, SOC, penetration-test or ASVS certificate. Where a certification exists, it is Microsoft's certification of the underlying platform, not Boxcurve's, and must not be presented as Boxcurve's.
-
Customer configuration, your responsibility. The controls that complete the picture sit in your tenant and are yours to configure and operate, including data-loss-prevention (DLP) policies, Conditional Access, Microsoft Purview sensitivity labels, and your wider Power Platform governance. These are platform capabilities; configure them per Microsoft's guidance: https://learn.microsoft.com/power-platform/admin/wp-security
Reading the tables below
"Inherited from Microsoft" denotes a control Microsoft operates and certifies at the platform level, verify its current scope on the Service Trust Portal. "Boxcurve" denotes a control Boxcurve is responsible for at the application level; Boxcurve's attestation status is stated honestly and is in progress. "Customer" denotes a control you configure and operate in your tenant. A management-system certification (governance, such as ISO/IEC 27001) is distinct from a technical control assurance (such as a penetration test or an OWASP ASVS assessment); the two are not interchangeable.
ISO/IEC 27001 and the cloud and privacy extensions (27017, 27018, 27701)
ISO/IEC 27001 certifies an information-security management system (governance). ISO/IEC 27017 adds cloud-specific controls, ISO/IEC 27018 addresses the protection of personally identifiable information (PII) in public clouds, and ISO/IEC 27701 extends the management system to privacy information management.
| Layer | Position |
|---|---|
| Microsoft platform (inherited) | Microsoft holds ISO/IEC 27001, 27017, 27018 and 27701 certifications covering the relevant cloud services. Obtain the current certificates and statements of applicability from the Service Trust Portal and confirm they cover the services in your region and plan, scope changes over time. |
| Boxcurve application | Boxcurve's own ISO/IEC 27001 ISMS is in progress and not yet independently certified. Boxcurve maintains documented secure-development records and the no-custom-code posture. For privacy (27018/27701), the application is designed so that no business or personal data leaves your tenant and Boxcurve receives no such data; Boxcurve does not hold its own 27018/27701 certificate. |
| Customer configuration | You operate your own ISMS/PIMS scope for your use of the application, classify and label data (for example with Purview sensitivity labels), set DLP and Conditional Access, and define retention. The application is a tool within your management system, not a substitute for it. |
Note
Do not read Microsoft's ISO/IEC certificates as covering Boxcurve. They certify the platform. Boxcurve's own ISMS certification is in progress.
NIST Cybersecurity Framework (CSF) 2.0 and NIST SP 800-53
The mapping below is conservative and organised by the six CSF 2.0 functions. NIST SP 800-53 control families are referenced only where a capability genuinely supports them. References are to identifiers only; confirm wording against the current publications with your assessor.
| CSF 2.0 function | Inherited from Microsoft (platform) | Boxcurve (application) | Customer (tenant) | Indicative 800-53 families |
|---|---|---|---|---|
| Govern (GV) | Platform compliance programme and certifications (verify on Service Trust Portal). | Gated, approval-controlled release process; no-custom-code posture; ISMS in progress. | Your governance, policies, role-assignment decisions and Power Platform governance. | PM, PL |
| Identify (ID) | Platform asset and configuration management. | Application roles, accountability mapping and task classification/risk fields that help you record ownership and risk. | Maintaining accurate assignments; defining what classifications and risk values mean. | RA, CM, PM |
| Protect (PR) | Identity, authentication, encryption and access enforcement provided by Microsoft Entra ID and Power Platform. | Defined application roles with differentiated permissions; no custom executable surface added. | Assigning/reviewing/revoking roles; MFA, Conditional Access, DLP, sensitivity labels. | AC, IA, SC |
| Detect (DE) | Platform-level monitoring and audit capabilities. | Automatic change history (who/what/when) for task data and structured application error logging. | Monitoring logs, reviewing change history, integrating into your detection processes. | AU, SI |
| Respond (RS) | Microsoft's operational incident handling for the platform. | Error log as a source of operational data; change history as investigation evidence. Breach notification is addressed in the Incident Handling and Escalation document. | Your incident-response process and decisions. | IR, AU |
| Recover (RC) | Microsoft's platform resilience and backup of the underlying service. | Project backup and restore-from-backup capabilities within the application for your project data. | Your recovery procedures, testing and retention decisions. | CP |
Note
Identity, authentication, MFA, Conditional Access and encryption are provided by Microsoft Entra ID and Power Platform, not by Boxcurve Unity. See Microsoft's documentation: https://learn.microsoft.com/power-platform/admin/wp-security
OWASP Top 10 and OWASP ASVS (application surface)
These address the application's own surface. The decisive fact is the no-custom-code posture: the application contains no custom-control components, no plug-in or .NET assemblies, no custom workflow activities and no JavaScript or HTML web resources. The classes of vulnerability that the OWASP Top 10 and ASVS primarily target in custom application code (for example injection, custom authentication logic, and insecure custom deserialisation) are materially limited, because the application introduces no such custom code; it is composed of declarative Power Apps configuration, configured cloud flows, and Dataverse tables and roles that run within Microsoft's platform controls.
Honest position on testing:
- Boxcurve has not yet completed a formal OWASP ASVS assessment of the application.
- Boxcurve has no independent penetration-test attestation for the application at this time.
- Authentication, session management and transport security for the application are provided by the Microsoft platform (see the platform link above), not implemented as custom code in the application.
| Layer | Position |
|---|---|
| Microsoft platform (inherited) | Platform-level protections for authentication, session, transport and data access; verify on the Service Trust Portal. |
| Boxcurve application | No custom executable surface added, which materially limits the app-layer attack surface. Formal ASVS testing and an independent penetration test are not yet performed; secure-development records are maintained. |
| Customer configuration | DLP, Conditional Access, sensitivity labels, and least-privilege role assignment in your tenant. |
Artificial-intelligence standards (Not Applicable)
Standards such as ISO/IEC 42001 (AI management systems), the NIST AI Risk Management Framework, and the OWASP Top 10 for Large Language Model Applications are Not Applicable to the Boxcurve Unity application, because the application uses no native platform artificial intelligence. Specifically:
- AI Builder is not enrolled or used by the application.
- Copilot controls within the application are disabled.
- No cloud flow or application logic invokes any predictive, large-language-model, or Copilot action.
For clarity, and to avoid any confusion: the application does include a feature that lets you maintain a register of AI agents, that is, records your organisation keeps about its own or third-party AI agents as stakeholders within the accountability map. This is a governance register you populate and operate; it does not mean the application itself calls, hosts or runs any AI service. The AI standards above therefore remain Not Applicable to the application's own behaviour, while this register can support your own AI-governance recordkeeping.
Note on "ISO" and "IEC"
The standards above are joint ISO/IEC publications, so the prefixes "ISO" and "IEC" here largely denote the same documents (for example ISO/IEC 27001 and ISO/IEC 42001).
Known gaps and limitations to be aware of
- Boxcurve Unity is not a certified service. Nothing in this document should be read as a certification claim. The application is a tool used within your own tenant and your own programme.
- Boxcurve's own attestations are in progress. Boxcurve's ISO/IEC 27001 ISMS is being established and is not yet independently certified, and Boxcurve does not yet hold an independent penetration-test attestation or a completed OWASP ASVS assessment for the application. Any ISO/IEC or SOC certificate you obtain from the Microsoft Service Trust Portal certifies Microsoft's platform, not Boxcurve.
- Retention is your responsibility. The application records change history, comments, and error data, but does not, of itself, guarantee a retention period that meets your obligations. Define and enforce retention with your administrators, and export or archive where required.
- The application does not interpret risk, classification, or priority values. It records the values you enter; the meaning, thresholds, and resulting action are defined and operated by you.
- Approval and escalation are recorded, not enforced end to end by the application. The application provides fields to capture approval and escalation information; the surrounding business process is defined and operated by your organisation.
- Regulatory and jurisdiction content is not maintained for you. Where tasks reference a jurisdiction, authority, or documentation link, the accuracy and currency of that content is your responsibility.
- Platform-level controls are out of scope for this application. Identity, authentication, MFA, Conditional Access, data-loss prevention, encryption, and tenant administration are provided and governed by Microsoft Entra ID and Power Platform. See Microsoft's documentation: https://learn.microsoft.com/power-platform/admin/wp-security
Responsibility split, summary
| Area | Boxcurve Unity provides | Your organisation is responsible for |
|---|---|---|
| Application access | Defined application roles with differentiated permissions | Assigning, reviewing, and revoking roles; platform identity and MFA |
| Activity records | Automatic change history (who/what/when) and comments | Retention period, review, export/archive |
| Operational logging | Structured error log | Monitoring and acting on the log; incident/problem process |
| Accountability | Accountability-map structures (RACI, RASCI, RATSI, DACI, DCI and MOCHA) | Keeping assignments accurate and current |
| Risk & classification | Fields for classification, priority, and risk values | Defining their meaning, applying them, acting on them |
| Approval & escalation | Fields to record approval, escalation, removal approval | Defining and operating the approval/escalation process |
| Change management | Gated, approved release process for the application | Your own adoption approvals and evidence retention |
| Compliance evidence | Records described above, viewable/exportable | Producing, retaining, and presenting evidence to auditors |
| Platform certifications | Inherited from Microsoft (verify on the Service Trust Portal) | Verifying current Microsoft certification scope; configuring your tenant controls |