Skip to content
Heedify
FR
← Back to blog

Industry Insights

Heedify is ISO 27001 certified for Microsoft Teams contact centres

Heedify is ISO/IEC 27001:2022 certified by AFNOR Certification. What it changes for organisations running their contact centre on Microsoft Teams.

By Mefteh Werghemmi, Co-founder, Heedify
  • iso 27001
  • security
  • compliance
Heedify ISO/IEC 27001:2022 certified by AFNOR Certification, COFRAC accreditation

Every B2B vendor selection runs into the same conversation at some point.

Procurement asks for security documentation. The CISO asks for an audit report. The legal team asks for the data processing agreement. Then comes the 200-line security questionnaire. Then another one for the renewal next year.

It is a known bottleneck. It slows down deals that should close in weeks and turns them into months.

We just removed that bottleneck.

Heedify is now ISO/IEC 27001:2022 certified by AFNOR Certification, the leading French national standards body, under the COFRAC-accredited AFAQ mark.

This article explains what that means concretely for the people who pick Heedify to run their Teams contact centre, and why we believe this matters more than a badge on a website.

The real problem ISO 27001 solves

If you sell or buy SaaS, you know the dance.

The buyer needs to be sure the vendor will not become the entry point of a security incident. The vendor needs to prove it. So the buyer sends a questionnaire. The vendor answers 80 to 250 questions about policies, controls, encryption, incident response, vendor management, business continuity, and the rest.

Multiply this by every vendor in your stack and you have a job, not a procurement process.

For a Teams contact centre vendor like Heedify, who also runs a native attendant console for Microsoft Teams, the stakes are higher than average:

  • Inbound calls are routed and recorded
  • Caller identity and CRM records are accessed
  • Transcripts and summaries are produced and stored
  • Personal data flows through your tenant and back

Your CISO is right to ask hard questions. We would, in their place.

ISO 27001 is the international answer to this question. It is the most widely recognised information security management standard in the world. It says: a credible, accredited third party has audited our security posture against a fixed reference, and we comply.

It does not replace conversation with your security team. But it makes the conversation start from a much higher floor.

What ISO 27001 actually means

ISO/IEC 27001:2022 certifies that an organisation runs a proper Information Security Management System (ISMS), with:

  • A clearly defined scope of what is covered
  • A risk assessment process that is repeated, not a one-shot exercise
  • 93 controls grouped in 4 themes (organisational, people, physical, technological)
  • A Statement of Applicability (SoA) listing which controls apply and why
  • A documented incident response and business continuity process
  • Continuous improvement through internal audits and management reviews

Certification is granted after a stage 1 (documentation review) and stage 2 (operational audit) on site. Then it is re-audited every year by the certifying body, and fully re-certified every three years.

It is not a snapshot. It is a continuous commitment.

Why we chose AFNOR Certification

Not all ISO 27001 certificates carry the same weight in a buyer’s eyes. The certifier matters as much as the certification itself, and your CISO knows it.

We chose AFNOR Certification for three concrete reasons:

Recognition worldwide. AFNOR Certification is the French national standards body. Its certificates are recognised by the IAF (International Accreditation Forum), the global mutual recognition arrangement that links accreditation bodies in more than 80 countries. Your procurement team in the EU, the United States, the United Kingdom, APAC or anywhere else accepts the certificate without needing to validate the certifier first.

Independence of the audit chain. AFNOR Certification is itself accredited by COFRAC, the French national accreditation body, member of the European Cooperation for Accreditation (EA). This is the meta-question your CISO eventually asks: who audits the auditor? The answer here is a peer-reviewed independent organisation at the European and international level, not a self-declared body.

Rigour of the AFAQ regime. The AFAQ mark, owned by AFNOR, is reserved for organisations that pass a strict process review. A vendor presenting an AFAQ ISO 27001 certificate has not just met the standard, but met it under one of the most demanding certification regimes in Europe.

For your procurement and security teams, an AFNOR Certification ISO 27001 certificate is a document that doesn’t generate follow-up questions about the certifier. That’s hours of meeting time you don’t have to spend.

The scope of our certification

Scope is the part most people miss when reading a certificate. Some vendors get certified on a tiny subset of their operations and let you assume it covers everything.

Here is the verbatim scope of our certificate:

Development, hosting and maintenance of a Contact Center as a Service (CCaaS) solution for organisations using Microsoft Teams as their telephony platform.

That is the whole product. Not a part of it. The development, the hosting, the maintenance: everything that touches your contact centre data is in scope.

We also chose to be certified under the ISO/IEC 27001:2022 revision, not the previous 2013 version that some vendors are still on. The 2022 version is the most current edition of the standard, with updated controls reflecting modern cloud and remote work realities.

What changes concretely for you, our customer

This is the part that matters.

1. Your procurement gets faster

You can ask us once for our certificate, our public Statement of Applicability summary, and our DPA. You can then bring this to your procurement and security teams and skip the long questionnaire phase, or fill it 3x faster because the answers map directly to ISO 27001 controls.

2. Your CISO has objective assurance

ISO 27001 is a vocabulary your security team already speaks. They know what it covers, what it does not, and what to ask for. A conversation that used to start with “explain your security posture” now starts with “show us how your SoA handles cryptography and what your variance is on annex A.”

That is a productive conversation. Not a defensive one.

3. Your renewals get simpler

The procurement bottleneck does not go away after you sign. Every two or three years the rebid comes back and the same conversation restarts. With ISO 27001, the rebid conversation is dramatically shorter: the certificate is still valid, the audit is annual, nothing fundamental has changed.

4. Your regulated industries are easier to serve

If you are in finance, public sector, healthcare, or any regulated industry, your own auditors and regulators will look at your vendors. Heedify being ISO 27001 certified is an answer to a lot of their questions before they even ask.

5. Your trust is grounded in process, not in marketing

Every SaaS vendor claims to “take security seriously.” Words are cheap. An external accredited audit against a fixed reference is not.

How Heedify approaches security in practice

The certification does not exist in a vacuum. It is the formal acknowledgement of how we operate every day.

A few specifics:

  • Built on Microsoft Azure and Azure Communication Services. We inherit the underlying compliance posture of Microsoft (Azure is itself ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, HDS for the relevant regions, and more)
  • Tenant isolation by design. Your call data, your transcripts, your CRM lookups stay in your Microsoft 365 tenant. There is no shared multi-tenant database where customer data mingles
  • Data residency you choose. EU, United States, United Kingdom, APAC: you pick the Azure region. We deploy there
  • No model training on your calls. Your conversations are never used to train the AI base models. Ever
  • GDPR-compliant by design. Consent capture, retention policy, right to deletion. Your DPO has the documentation, the controls, and the audit trail
  • Recording with consent. Recording features respect local law and your own policy. The caller is informed and consent is captured before storage

ISO 27001 is the structural validation of all of the above by a third party that has the authority to say so.

What ISO 27001 does not replace

We want to be honest about what this certification means and what it does not.

It does not replace:

  • Your own DPIA (Data Protection Impact Assessment). If your use case involves sensitive categories of data, you still need to do the DPIA. We will help you with the inputs but we cannot do it for you.
  • HDS (the French Healthcare Data Hosting certification) if you operate in French healthcare. ISO 27001 is the foundation but HDS is a separate certification with its own scope. We are evaluating HDS for future certification.
  • SOC 2 Type II if your US procurement team specifically asks for it. We are working towards SOC 2 as a complementary certification.
  • Sector-specific regulations like DORA in EU finance or FedRAMP in US federal. ISO 27001 is a strong baseline that demonstrates maturity, but specific sectors have specific obligations.
  • Your own security operations. Your firewall, your endpoint protection, your identity management, your conditional access policies. Heedify is one piece of a larger picture, and we don’t take that responsibility away from you.

ISO 27001 is a credible, internationally recognised baseline. Treat it as the starting point of trust, not the ending point.

What is next for Heedify

ISO 27001 is the foundation. We are not stopping here.

On our roadmap:

  • SOC 2 Type II for our US-focused customers and partners
  • HDS evaluation for French healthcare contact centres
  • Annual ISO 27001 surveillance audits, which is the natural rhythm of the certification

The point is not to collect badges. It is to make sure that as Heedify grows and our customers’ needs evolve, our security posture grows with them.

Talk to our security team

If you are evaluating Heedify and want a deeper conversation about our security posture, we are happy to have it.

  • Email our security team directly: cybersecurity@heedify.io
  • Ask for our Statement of Applicability summary, our Information Security Policy summary, and our DPA template
  • Book a demo and bring your CISO on the call: we welcome the questions

Trust is built one honest conversation at a time. The certificate is a credible, accredited proof point. The conversation is still the part that matters.

Frequently asked questions

Is Heedify ISO 27001 certified?

Yes. Heedify is certified to ISO/IEC 27001:2022, the international information security management standard, by AFNOR Certification under the COFRAC-accredited AFAQ mark.

What is the scope of Heedify’s ISO 27001 certification?

The scope covers the development, hosting and maintenance of Heedify’s Contact Center as a Service (CCaaS) solution for organisations using Microsoft Teams as their telephony platform. This covers both the contact centre and the attendant console products that run on the Heedify platform.

Which version of ISO 27001 is Heedify certified to?

ISO/IEC 27001:2022, the most current edition of the standard. This is the same version recognised under the European NF EN ISO/IEC 27001:2023 norm.

Who is the certifying body?

AFNOR Certification, the French national standards body. AFNOR Certification is itself accredited by COFRAC (Comité français d’accréditation), member of the European Cooperation for Accreditation (EA), and recognised internationally through the IAF (International Accreditation Forum).

Where can I get a copy of Heedify’s ISO 27001 certificate and Statement of Applicability?

Email cybersecurity@heedify.io. We share the certificate and a public summary of our Statement of Applicability with customers and prospects on request, alongside our Data Processing Agreement.

Does ISO 27001 mean Heedify is GDPR compliant?

ISO 27001 provides the structural information security baseline that supports GDPR compliance. Heedify additionally implements GDPR by design: consent capture, retention policy, right to deletion, audit trail, and a DPA available for every customer. ISO 27001 and GDPR are complementary, not equivalent.

What other certifications is Heedify working on?

Heedify is evaluating SOC 2 Type II for US-focused customers and HDS (French Healthcare Data Hosting) for healthcare contact centre deployments. ISO 27001 surveillance audits run annually as part of the certification lifecycle.

Is Heedify’s underlying infrastructure also certified?

Yes. Heedify is built on Microsoft Azure and Azure Communication Services. Azure itself holds ISO/IEC 27001, ISO/IEC 27017 (cloud security controls), ISO/IEC 27018 (cloud privacy), SOC 1/2/3 and HDS in the relevant European regions. Heedify’s own ISO 27001 certification adds the application and operations layer on top.