Data Processing Positioning
What this document is:
An explanation of how responsibilities related to communication monitoring and compliance detection are distributed between the organization deploying Clawscan, the Clawscan system itself, and GOlegal as the software vendor.
Why this matters:
Understanding these boundaries is essential for determining legal responsibilities, data protection obligations, and governance practices when deploying Clawscan.
Who should read this:
Legal teams, data protection officers (DPOs), HR teams, IT security teams, and procurement reviewers.
When to use this:
DPIA preparation, vendor risk assessments, internal governance reviews, and deployment planning.
Overview
Clawscan operates within a three-level responsibility model.
This model distinguishes between:
- Project level – the organization’s compliance initiative
- System level – the Clawscan technical platform
- Vendor level – GOlegal as the software provider
This distinction helps clarify:
- who defines monitoring policies
- who operates technical components
- who holds regulatory responsibilities
Understanding these layers helps organizations deploy Clawscan responsibly while maintaining appropriate governance controls.
Project level: organizational compliance initiative
At the project level, Clawscan forms part of a broader compliance initiative led by the client organization.
The client organization defines the objectives and governance framework for communication monitoring.
Typical responsibilities at this level include:
- defining compliance monitoring objectives
- determining which communication channels may be monitored
- establishing internal review procedures
- defining escalation and investigation processes
- ensuring compliance with applicable labour and privacy laws
These responsibilities remain entirely under the control of the organization deploying Clawscan.
Clawscan provides a technical capability that supports these initiatives but does not determine organizational policies.
See:
System level: the Clawscan platform
At the system level, Clawscan provides the technical infrastructure that enables organizations to identify potential compliance signals.
The platform performs tasks such as:
- retrieving communication content from authorized sources
- analyzing communications for potential compliance signals
- generating derived risk indicators
- transmitting operational telemetry for monitoring purposes
The system does not make legal determinations or enforce organizational policies.
Its role is limited to providing risk detection capabilities.
The Clawscan Admin Control Center provides a web interface allowing authorized users to access aggregated results and manage platform configuration.
This interface operates within the Clawscan system layer and does not process or store raw communication content.
See:
Vendor level: GOlegal
At the vendor level, GOlegal develops and operates the Clawscan platform.
GOlegal responsibilities include:
- maintaining the Clawscan software
- operating the service control plane
- monitoring service health
- providing product updates and improvements
GOlegal does not operate the client tenant environment and does not administer the organization’s internal compliance processes.
The vendor’s role is limited to providing and maintaining the technology that enables the service.
Infrastructure responsibility boundaries
Clawscan is deployed within infrastructure controlled by the client organization.
This includes components such as:
- Microsoft 365 environments
- Azure resources provisioned by the client
- the Clawscan processing engine deployed within the tenant
Because these components remain under client control, organizations retain responsibility for:
- infrastructure security
- access control within their tenant
- configuration of monitoring policies
See:
Data protection implications
The three-level model helps clarify how data protection responsibilities are distributed.
For example:
| Level | Primary responsibility |
|---|---|
| Project | Governance and monitoring policies |
| System | Technical analysis capability |
| Vendor | Software operation and maintenance |
Organizations deploying Clawscan remain responsible for ensuring that monitoring practices comply with applicable legal frameworks.
See:
Why this model matters
The three-level model helps organizations deploy Clawscan responsibly by:
- clarifying decision-making authority
- avoiding misunderstandings regarding vendor responsibilities
- supporting internal governance frameworks
- facilitating regulatory assessments
This structure ensures that compliance monitoring remains an organizational responsibility supported by technology, rather than a function delegated entirely to a vendor.