Compliance infrastructure for firms that carry the risk.
Written for two readers: the principal who owns the liability, and the IT team who approves the vendor. Both get specifics here, not reassurance.
- Access model
- Read-only scope
- Source files
- Never written to
- Audit trail
- Append-only
- Security docs
- On request
01Who this is for
Two readers, one document trail
An enterprise rollout has to satisfy the office that owns the liability and the department that owns the security review. Nudgy is built to answer both without asking either to compromise.
For the principal
The one who carries the risk
Your seal is on every sheet and the liability does not delegate. Nudgy gives the office a consistent second pass on every revision — the same scrutiny on the last day of a deadline as on the first — so nothing reaches the field on the strength of an exhausted read.
- A cited punch list before every set is issued
- One severity standard across projects and reviewers
- A defensible record of what was checked, and when
For IT
The one who approves the vendor
No new identity platform, no password store, no agent on a workstation. Nudgy authenticates against your existing Microsoft 365 tenant with a single read-only Graph scope, retrieves only the files a project owner picks — and you can revoke access in a single action from your admin center.
- Microsoft 365 OAuth, read-only Graph scope
- Nothing installed, nothing to patch
- Per-organization isolation, enforced server-side
02Rollout
One deployment, every project
Scaling Nudgy across a portfolio doesn't multiply the integration work. The platform is deployed once; each project is added as configuration on top of it.
ISO-01
Per-project isolation
Each project carries its own spec index, its own documents, and its own audit history. A team sees its projects and nothing else — enforced on every query, server-side.
M365
One tenant, read-only
Microsoft 365 access is a single read-only Graph scope, and Nudgy retrieves only the files a project owner picks. It never writes, moves, renames, or deletes a file — there is no code path that does.
+1 PROJECT
Added as configuration
The next project is a spec to index and drawings to audit — not a new deployment, a data migration, or another procurement cycle.
03Institutional memory
The record outlasts the team
Project teams rotate; records remain. Every audit across every project is preserved append-only, so a question that surfaces two years later is answered on file rather than from memory.
REVISION
Which drawing revision was audited, by file and version.
SPEC VERSION
Which version of the spec it was checked against, addenda included.
FINDINGS
Every finding, with its severity and citation, written append-only.
WHO / WHEN
Who ran the audit and when — immutable after the fact.
Isolation enforced per organization and per project
Read-only access to your Microsoft 365 files
Append-only audit record per revision
Security documentation on request
04For your reviewers
Built for the security review
Documented to the depth reviewers ask for
The access model, document lifecycle, data isolation, and full subprocessor list are written out at the level of detail a vendor review actually requires — not a trust badge, the specifics. Our published security overview covers all of it; deeper artifacts — architecture diagrams, subprocessor DPAs, and completed security questionnaires — are available under NDA on request.
Read the security overviewOnboarding and support, stated plainly
Onboarding is a working session against one of your own specs, not a slide deck. Support comes from the people who built the engine and understand spec language. We would rather set accurate expectations here than impressive ones.

