How do you know it doesn't mirror data or accept commands remotely, or that it has no vulnerabilities/backdoors which can make it do so? Perhaps you could do an audit of it or something...
Are you under the misimpression that KPMG or PwC to fill out a checklist will catch a back door? They’re looking for things like whether your servers have an old OpenSSL library or your code doesn’t escape values in SQL, which is pretty low-hanging fruit even on hosted apps and much less valuable for local apps.
