Architecture Overview
What this document is:
High-level overview of the Clawscan architecture and deployment model.
Why this matters:
Organizations evaluating Clawscan must understand where data is processed, which components are responsible for which tasks, and how isolation between systems is maintained.
Who should read this:
IT teams, security reviewers, solution architects, and data protection officers.
When to use this:
Security assessments, architecture validation, procurement reviews.
Core architecture principle
Clawscan follows a tenant-resident processing model.
This means that the analysis of communications occurs within the client’s own Microsoft 365 and Azure environment rather than within GOlegal infrastructure.
As a result:
- Email content remains under client control
- Processing boundaries are clearly defined
- Sensitive data does not need to be transmitted to external infrastructure
See also:
Architecture components
The Clawscan ecosystem consists of four main components.
Client tenant environment
The core processing environment resides within the client’s own Microsoft 365 and Azure infrastructure.
Typical components include:
- Microsoft 365 Exchange Online (email storage)
- Azure resources provisioned by the client
- the Clawscan processing engine
This environment remains fully controlled by the client organization.
GOlegal does not operate or administer this environment.
Clawscan processing engine
The Clawscan engine is deployed within the client tenant.
Its role includes:
- retrieving communication content from Microsoft 365
- performing compliance analysis
- generating derived scan results
- transmitting operational telemetry
The engine performs the analysis locally within the client environment.
Raw communication content is not transmitted to GOlegal infrastructure.
Details of how information moves through the system are described in:
GOlegal control plane
GOlegal operates a control plane responsible for service management.
Typical responsibilities include:
- telemetry ingestion
- service monitoring
- licensing management
- product updates
The control plane does not process email content.
Only derived results and operational telemetry are transmitted to GOlegal systems.
See:
Admin Control Center
The Clawscan Admin Control Center is a web interface operated by GOlegal that allows authorized users to:
- view aggregated compliance signals
- manage domain (de)activation
- access billing information
- manage other platform configuration (if relevant)
The Admin Control Center does not provide access to email content analyzed by the Clawscan Engine.
Only aggregated results and operational data are accessible through this interface.
Data isolation model
Clawscan is designed to maintain strict separation between client data and vendor-operated systems.
| Data category | Location | Accessible by GOlegal |
|---|---|---|
| Email content | Client tenant | No |
| Local analysis artifacts | Client tenant | No |
| Derived scan results | GOlegal control plane | Yes |
| Operational telemetry | GOlegal control plane | Yes |
This separation ensures that sensitive communication content remains within the client’s environment.
Privacy and security by design
The architecture incorporates several privacy and security safeguards:
- tenant-resident processing
- outbound telemetry only
- minimal data transmission
- clear responsibility boundaries
Organizations deploying Clawscan remain responsible for defining scanning policies consistent with their internal governance and regulatory obligations.
See:
Scope of vendor responsibility
Clawscan operates within a shared responsibility model.
GOlegal is responsible for:
- the Clawscan software
- the service control plane
- telemetry processing
- product maintenance
Client organizations remain responsible for:
- their Microsoft 365 tenant
- Azure resources used for deployment
- configuration of scanning policies
- internal governance and regulatory compliance
See:
Purpose and system boundaries
Clawscan is designed as a compliance assistance system.
Its purpose is to identify communication content that may require review by compliance or legal teams.
The system is not designed to evaluate employees, monitor behaviour, or produce individual performance metrics.
Outputs generated by the system are intended to support human review processes.