EP365 Controlled documents staff handbook, GDPR and health & safety with a trail of who read what and when
Distribute the staff handbook, GDPR, health & safety and ISO policies with a verifiable trail of who read them and when — all inside the Microsoft 365 you already have and pay for. No third-party system, no extra passwords, and your NIS2 and ISO audits pass without panic.
Sound familiar?
This is what companies that must prove people have read key policies tell us. Not because they're careless — but because email, Teams and shared folders were never built for verifiable acknowledgement.
“Prove that everyone has seen the Staff Handbook, version 1.3.”
An inspector or an ISO auditor turns up and wants evidence. HR opens Excel and starts ringing round the sites. And still nobody knows who had which version.
“We emailed the new policy. Did anyone even open it?”
The mass email went out and that was the end of it. Did anyone read it? Understand it? You have no idea — and in three years you won't be able to trace it at all.
“Staff Handbook in Teams, GDPR in OneDrive, health & safety in an email.”
Documents are everywhere and nowhere. When a new colleague joins, nobody is sure what to send them — or which version is actually the latest approved one.
What Controlled documents does about it
Five things that take the worry off your plate fastest. The complete feature list is below in the details.
A verifiable read-and-understood trail on every document
For each confirmation you can see who read the document, when, and which version — with a time stamp. Whenever an auditor asks, you have the answer in one click, not after a week of phone calls.
Excel and ringing round the sites one overview of who has read what
Sign-off before the document goes out
The publisher prepares the document, the approver signs it off — only then does it reach the recipients. Nothing goes out unapproved. When the approver is on holiday, their deputy gets the request too, so nothing gets stuck.
Straight into a mass email publisher → approver → recipients
Choose recipients however you need
Target a whole department, a Microsoft group, or specific individuals. Does the team change? The document tops itself up for the new people only — they get the email, not the whole company again.
Confirm that people understand
For key documents you don't stop at a click. Add a few check questions and the employee confirms only after answering them correctly — verifiable proof of understanding, not just that they “saw it”.
Recurring acknowledgement watched by the app
Health & safety and GDPR must be refreshed every year. Set the interval and the document returns to people on its own for a fresh confirmation — no manual work and with a fresh audit record.
The fastest route: 30 minutes at a screen.
No company slideshow. We share a screen and click through the app on sample data — you'll see exactly what your people and an auditor would see.
„We passed our NIS2 audit with a single export. The auditor saw a list of all confirmations with time and version — and had not one objection.“
Manufacturing company · 250 employees · 32 controlled documents
We got it deployed within hours. The administrator needed a short workshop, publishers got a one-hour video, and employees needed no training at all.
For those who want to know more
Everything that matters in one place — features, a comparison with the alternatives, security, pricing and answers to common questions.
Publishing with sign-off
Five roles — employee, publisher, approver, manager, administrator. The publisher prepares, the approver signs off, and only then does the document reach recipients. Nothing goes out unapproved.
Verifiable acknowledgement trail
For every confirmation: who, when, which version, optionally from which IP and device. Records cannot be changed retroactively — they are permanent evidence for NIS2 and ISO audits.
Targeting the right people
Build your recipient list from whole departments, Microsoft groups and individuals. Combine all three sources depending on who the document concerns.
New version or team change
Change the attachment? The app starts a new acknowledgement cycle and marks the old confirmations as invalid. Someone joined the team? The document tops up for them alone — they get the email, not the whole company again.
Acknowledgement overview for managers
How many people have already read it, which documents are risky, how publishing is going over time. A manager sees the status of their team, an administrator the whole company.
Automatic archival and retention
Once it expires, the document archives itself. Audit records are retained for as long as you set (7 years by default). You print the report to PDF straight from the browser.
Full-text search inside documents
Search by what's inside — not just by the title. The search goes through the content of Word and PDF files and respects permissions: everyone finds only what they can access.
Evidence pack in one click
For any document you generate a printable report — metadata, version and a complete list of confirmations (who, when, which version). Ready to print to PDF straight for the auditor.
Templates and required fields
Each category can enforce required fields (deadline, validity, targeting) and offer the publisher a template with guidance. Documents are then created consistently and completely from the outset.
Understanding checked by a quiz
For key documents, add check questions. The employee confirms acknowledgement only after answering them correctly — verifiable proof of understanding, not just a simple click.
Recurring acknowledgement (recertification)
Health & safety, GDPR and security policies require regular reminders. Set the interval and the document returns to people on its own for a fresh confirmation, with a fresh audit record.
Reminders, Teams and calendar
An overdue reminder also goes to the line manager. Announce new publications to a Teams channel. An employee adds the confirmation deadline to their Outlook calendar in one click.
Preview in a panel without downloading
Read Word, Excel and PDF straight in the panel, without downloading to your computer. The document detail and the list of confirmations are neatly in one place.
Data stays with you
Documents, confirmations and the audit trail are stored exclusively in your Microsoft 365 environment. No third-party cloud, no data leaving the company — including the EU region for European customers.
No new passwords
People sign in with their company Microsoft account. When an employee leaves, IT handles it in one step — blocking the account removes access to the documents too.
Everyone sees only their own
An employee sees only their own confirmations, a manager their team, an administrator the whole company. Other people's data is technically out of reach, even if someone had the direct link.
Verifiable trail for NIS2 and ISO
Time stamp, version, who confirmed and when — in strict mode also IP and device. Records cannot be changed retroactively and are retained for as long as you set (min. 5 years).
GDPR on the principle of minimisation
The audit record contains only what's necessary — who, when and optionally from which IP. You control the retention period, not us. No unnecessary collection of personal data.
No extra third-party system
Everything runs in your Microsoft 365. On our side we only verify the licence — no documents or personal data flow through us. You won't gain a new vendor to put through procurement.
Price by company size
A monthly flat fee for the whole company, not per user. Unlimited recipients and documents within a given size band — the price follows the number of people in your Microsoft 365.
On-site implementation
We help you get started: installation, a workshop for administrators, a category design tailored to your organisation, the first distribution groups and strict-mode setup for NIS2.
The exact price depends on company size and the scope of the initial setup. We'll send a precise quote after a short call. Migration from legacy systems is a separate service.
Support pricing
Consultations, environment adjustments, custom reports or user support.
Support is billed per started 15 minutes of work. We always tell you the expected scope in advance.
Is this an electronic signature?
How long does deployment take?
What do we need to have?
How does it help us with a NIS2 or ISO audit?
Can an employee who “isn't a computer person” manage the confirmation?
What about GDPR and personal data?
Can we set up recurring acknowledgement?
Can we move over from DocuWare or another DMS later?
Often paired with Controlled documents
What exactly do you want to discuss?
Pick what's burning most right now. We'll get back to you, walk through your situation and propose next steps, including an indicative price.