Skip to main content

Security · Compliance · Trust

Built for regulated work.

Chrona Bio reads regulatory documents on behalf of the people responsible for filing them. The architecture below is how we make that trustworthy — what flows where, what stays put, and what's recorded.

02 — The trust contract

Four commitments that govern how Chrona operates.

  • 01

    Your documents stay in your tenant.

    Chrona reads from your SharePoint via Microsoft Graph, read-only. No copies of your documents are stored on Chrona Bio infrastructure. Hashes and metadata only.

  • 02

    You bring your own LLM key (zero-retention).

    Document excerpts pass to Anthropic or OpenAI under your account, on zero-retention APIs. The model provider does not retain the text. Document content is governed by your API terms, not ours.

  • 03

    Humans decide. Chrona Bio records.

    Chrona surfaces findings. A person dispositions every one of them — resolve, dismiss, or override. The model is never the decision-maker. The audit trail is the record of human judgment, not model output.

  • 04

    The audit trail is the architecture.

    The audit log is not a feature bolted on. It's the substrate the readiness story is built from. Findings, dismissals, overrides, rationale, prompt versions, document hashes — all logged at the moment the action happens.

03 — Where your data lives

Three boundaries. Annotated.

Your documents live in your SharePoint. Chrona reads them via Microsoft Graph, in-tenant, read-only. Nothing is copied out.

On Chrona Bio infrastructure, only document hashes and metadata are stored — enough to identify a finding, locate the source paragraph, and reconstruct readiness state at a point in time. The document text itself stays in your tenant.

When the LLM is called, Chrona sends bounded excerpts (no more than 8K characters per call) to the model provider under your API key. The provider's zero-retention API mode applies — the text is not used for training, not stored beyond the request, not visible to anyone but the call itself.

Data flow across three boundaries. Customer SharePoint provides read-only access to document metadata and hashes only — no document copies leave the tenant. Chrona Bio holds findings, audit trail, and hashes. The LLM provider receives bounded excerpts (≤8K characters) under the customer's API key with zero retention. Customer tenant SharePoint · Word · Microsoft Graph Documents · drafts · author edits stay here Read-only access via Sites.Selected Read-only · hashes + metadata only Chrona Bio infrastructure Findings · audit trail · hashes & metadata No document copies stored on Chrona Bio infra Append-only ledger with SHA-256 checksums ≤8K chars · customer API key Zero-retention LLM provider Anthropic · OpenAI (under your account) No training · no retention · no broader visibility

04 — Part 11 by design

The compliance posture is built in, not bolted on.

  1. 01

    Append-only audit log.

    Every finding, dismissal, override, and decision is recorded at creation. Entries are not editable. The log grows; it does not change.

  2. 02

    SHA-256 checksums.

    Document hashes anchor every finding to the version of the document that produced it. State at any point in time is reconstructable.

  3. 03

    Mandatory rationale on dismissals.

    Server-validated minimum length on every dismissal or override. The rationale is recorded with the actor and the timestamp.

  4. 04

    Prompt versioning.

    The exact instruction sent to the model is versioned and stored with the finding it produced. The finding is reproducible at audit time.

  5. 05

    Readiness snapshots with self-hashing PDF audit reports.

    Snapshots tie a readiness state to the document hashes that produced it. Exported PDF reports hash themselves into the audit trail, so the report's authenticity is verifiable from the log.

05 — The Word add-in

Chrona Pro runs in Word's sandbox. Read-only on your content.

Chrona Pro is an Office JS add-in. It runs in Word's sandbox, with the permissions Microsoft grants every add-in in that model.

It is read-only on your document content. The only thing it writes is a single section-ownership comment, and only on explicit user assignment.

Custom rules are defined as JSON and executed by a fixed, audited interpreter. No eval. No outbound fetch. No arbitrary code execution. Document content never leaves Word.

custom rule · v3 Validated
Example rule
Cover letter date is current
{
  "id": "cover-letter-date-current",
  "scope": "M1.2",
  "check": "date_within_days",
  "args": { "max_age_days": 14 },
  "severity": "block"
}
No eval No fetch Audited interpreter
Read more about Chrona Pro

06 — Authentication and access

Identity and file access are decoupled by design.

Sign-in is a multi-tenant Azure application registered in Chrona Bio's tenant, federated to your Entra ID. Your users sign in with their own identity, under your IdP's policies.

SharePoint access is a separate, per-customer Microsoft Graph application with Sites.Selected — granted to specific sites your administrator chooses. Identity and file access are decoupled by design.

The split matters. Granting Chrona Bio sign-in access does not grant Chrona Bio access to your files. File access is a separate, scoped consent your administrator controls.

07 — For your security review

For procurement and security review.

Stop reconstructing rationale from email archives at audit time. The record is the system.

Brian and Flavia answer security questionnaires directly. We'll walk your team through the threat model, the data flows above, and any question your procurement process raises. Founder-attached — not a security-team-of-one inbox.

Talk to Brian or Flavia