For · CISO & IT Director

Deployment your security team will actually approve.

Zero data egress. One Entra security groups. Clawscan runs inside your Azure tenant using your existing Microsoft 365 infrastructure — nothing leaves, nothing is stored externally, nothing new to secure.

Shield-led
Why manual review fails
5%Typical estimated max email coverage in manual compliance programmes — the vast majority of communications are never reviewed.
100%Coverage with Clawscan Guard — every email in scope, scanned automatically, every day.

Zero data egress is not a feature — it's the architecture. Raw email never leaves the client tenant by design.

Clawscan Security Architecture
The CISO / IT Director's reality

What Clawscan solves.

  • 01

    Every compliance tool wants access to your email

    Most compliance tools require email forwarding, API access, or data egress to a third-party environment. Clawscan is different — scanning happens inside your tenant, and only classification results cross the boundary. Raw email never leaves.

  • 02

    No new credentials to manage at onboarding

    Most compliance integrations require exchanging API keys, provisioning service accounts, and planning rotation schedules before you're live. Clawscan's cross-tenant authentication needs one thing from you: an Object ID.

  • 03

    Scope creep starts at deployment

    A single Entra ID security group defines exactly who is covered. No broader permissions, no access beyond what's declared. The Application Access Policy scopes the engine to shared mailboxes only — not personal mailboxes.

The Guard dashboard

Your compliance command centre.

Every email in your shared mailbox — scanned, classified and ready to act on. Flagged emails surface with written justifications. Your team reviews only what matters, not everything.

Clawscan Guard — Compliance dashboard
Live · scanning
0
Critical
0
Warning
0
Safe
0
Scanned today

Illustrative mockup — actual interface may vary by environment and configuration.

Not just a flag

An explanation your legal team can act on.

Every flag includes a written justification in plain language and the exact passage that triggered it. Not a black box — a defensible, audit-ready verdict.

  • critical

    Price coordination — Article 101 TFEU exposure

    Language implies pre-tender pricing alignment with a direct competitor. This constitutes a per se cartel offence under EU competition law regardless of whether prices were actually aligned. Escalate to legal counsel before any reply.

    align our pricing approach before the tender closes… neither of us needs to compete on margin

  • warning

    Off-contract arrangement — concealment signal

    Reference to preferential terms explicitly excluded from the formal contract, combined with a request for secrecy, may indicate an attempt to hide a side agreement. Review for anti-corruption and conflict of interest exposure.

    keep this between us for now… formalise separately once the award is confirmed

  • safe

    Data Privacy — no concern detected

    GDPR reference is procedural only — documentation sharing is standard practice and does not indicate a data breach, unlawful processing, or consent failure. No personal data is shared in this communication.

    Our GDPR data processing documentation will follow under separate cover

What you can do with it

Workflows that change your programme.

  • Tenant-local processing — no data egress

    The Clawscan Engine runs as an Azure Container App inside your tenant. Email content is processed and stays inside your Azure boundary. Only scan outputs — classification and justification — are sent to GOlegal's Dataverse.

  • Cross-tenant authentication — no credential exchange

    The Engine authenticates to GOlegal's Control API using system-assigned managed identity with workload identity federation. No API keys or client secrets are exchanged at onboarding — you share an Object ID.

  • Minimal permission footprint

    The Engine is scoped via Exchange Application Access Policy to shared mailboxes only. Personal mailboxes are outside scope by architecture, not by configuration.

  • One security group, full control

    A single Entra ID security group controls who is covered by both Shield and Guard. Add or remove employees instantly. Dynamic groups are supported for role or attribute-based scoping.

How it works for you

Your team's day, with Clawscan.

  1. 01

    Engine deploys inside your Azure tenant

    The Clawscan Engine runs as a stateless Azure Container App inside your own tenant. No new infrastructure outside your boundary. Deployed via your existing Azure subscription.

    Shield + Guard
  2. 02

    Authentication via managed identity

    The Engine authenticates to GOlegal's Control API using system-assigned managed identity with workload identity federation. No API keys or client secrets are exchanged at onboarding — you share an Object ID.

    Shield + Guard
  3. 03

    Only results cross the boundary

    Email content is processed inside your tenant and never sent externally. Classification and justification are the only data points stored on GOlegal's Dataverse — TDE AES-256 encrypted.

    Shield + Guard
  4. 04

    Scope controlled via Entra ID

    Your security team manages who is covered via a standard Entra security group. The Application Access Policy ensures the Engine can only access shared mailboxes in scope — not personal mailboxes.

    Shield + Guard
Questions we hear before deployment

Common objections.

What data leaves our tenant?
Only scan outputs: domain classification, written justification, and telemetry. Raw email content — body, attachments, sender, recipients — never crosses the tenant boundary. This is architectural, not a configuration choice.
How does cross-tenant authentication work without secrets?
Clawscan uses Azure Workload Identity Federation. The Engine's system-assigned managed identity is pre-authorised against GOlegal's multi-tenant app registration using its Object ID.
Can we review your penetration test findings before deployment?
Yes — we can provide our security architecture documentation and existing pentest findings to your security team as part of the evaluation process.
What happens to scan results if we terminate?
Scan results stored on GOlegal's Dataverse are available for export in CSV format for 30 days post-termination. After that period, they are permanently deleted. This is covered in the Terms of Service.

Relevant domains.

Also relevant for

Other stakeholders in the compliance chain.

See Clawscan in action.

Book a 30-minute demo and see how Clawscan protects your organisation — and your people.

Book a demo →