Account, session, recovery, and stronger-role controls
Use centralized sign-in, role-aware sessions, alternate recovery contact, privileged reauthentication, and attributable account actions.
Trust Center
We place security and accountability inside the operating model, with controls and reports that match personal, organization, reseller, and platform responsibilities.
Six trust foundations
Use centralized sign-in, role-aware sessions, alternate recovery contact, privileged reauthentication, and attributable account actions.
Keep users, domains, rooms, services, storage, reports, and administrative actions within the organization scope assigned to them.
Combine authentication, anti-abuse limits, content and anomaly checks, platform defaults, tenant controls, user preferences, alerts, and reports.
Use local hosting posture, role and tenant controls, documented service behavior, retention expectations, and source notices as part of the evaluation.
Retain actor, target, tenant, domain, category, event, result, time, and relevant context where the workflow supports it.
Use recovery paths, versions, deleted-file restore, retries, status visibility, backup policy, support, and incident review according to the service and plan.
Mail protection with layered responsibility
Platform defaults establish the minimum outbound and inbound posture. Tenant administrators can apply stricter organization rules, while users manage the preferences that belong to their mailbox without overriding mandatory safeguards.

Shared responsibility
| Responsibility | GoOfficePH platform | Organization and users |
|---|---|---|
| Identity and access | Operate centralized identity, role model, session controls, and platform policy | Protect credentials, maintain recovery information, assign roles carefully, and remove access promptly |
| Tenant and domain setup | Provide verified-domain and tenant workflows with policy enforcement | Prove ownership, maintain administrators, place users correctly, and review memberships |
| Mail protection | Apply platform minimums, service controls, monitoring, and operational response | Configure domain records, respect sending policy, review alerts, and address compromised accounts |
| Files and sharing | Provide permissions, sharing, versions, recovery, activity, and service safeguards | Choose recipients carefully, maintain ownership, review public links, and classify sensitive material |
| Audit and reports | Retain supported events and present role-scoped online and downloadable reports | Review reports, investigate exceptions, preserve required outputs, and improve policy |
| Support and continuity | Provide status, retries, recovery paths, backup policy, and support according to plan | Maintain contacts, test critical workflows, define internal owners, and participate in incident review |
Evidence people can use
Authorized reports combine current state, trends, exceptions, and detailed records. The aim is not simply to accumulate events, but to help the right person understand what happened and what should happen next.

Trust questions
No. Hosting location is one part of the posture. Identity, access, encryption, mail protection, application security, logging, recovery, policy, people, and operating response remain essential.
Mandatory platform safeguards remain the floor. Tenant and user controls can add organization or mailbox policy but should not bypass platform-level requirements.
The platform logs supported identity, administrative, service, application, migration, security, support, and commercial events. Logging coverage is reviewed as new material workflows are added; not every passive screen view carries the same audit significance.
The Open Source Notices page lists major components, roles, and license families, with supporting compliance information maintained behind the published page.
References
Put the next step in reach
Start with one priority, keep the implementation manageable, and expand on the same connected foundation.