Data Retention & Deletion
What this document is:
An overview of how Clawscan retains and deletes analysis results and operational data.
Why this matters:
Organizations evaluating Clawscan must understand how long data is retained, what data is stored by GOlegal systems, and how deletion policies are implemented.
Who should read this:
Data protection officers (DPOs), legal teams, security reviewers, and compliance officers.
When to use this:
DPIA preparation, vendor security assessments, internal governance reviews.
Overview
Clawscan follows a data minimisation and limited retention principle.
The platform retains only the information required to operate the service and support compliance monitoring objectives.
Key principles include:
- communication content remains within the client tenant environment
- only derived scan results and operational telemetry are transmitted to GOlegal systems
- retention periods are defined to balance operational usefulness and data minimisation
See:
Communication content
Clawscan does not store communication content within GOlegal infrastructure.
Email messages and attachments remain within the client’s Microsoft 365 environment during analysis.
As a result:
- GOlegal systems do not retain email bodies
- GOlegal systems do not retain message attachments
- GOlegal systems do not retain full communication content
See:
Derived scan results
Clawscan generates derived analysis results following the local analysis of communications.
Derived results may include:
- risk classification
- numerical scoring
- summary reasoning describing the detection
These results are transmitted to the Clawscan control plane to support:
- operational monitoring
- compliance analytics
- service management
Derived results are retained according to a period-based retention model.
Period-based retention model
Raw scan results are retained during the operational period in which they were generated.
At the end of each period, results remain available for a fixed number of months before deletion.
This approach provides organizations with sufficient time to:
- review compliance signals
- perform internal investigations if required
- conduct periodic compliance analysis
After the retention window expires, raw results are deleted.
Example retention model:
| Operational period | Raw results deleted |
|---|---|
| 2026 | 30 June 2027 |
The exact deletion schedule may evolve as the platform develops, but the retention model follows this period-based approach.
Aggregated statistics
Clawscan may generate aggregated statistics derived from scan results.
These aggregated datasets:
- do not contain communication content
- do not contain message bodies
- do not allow reconstruction of individual communications
Aggregated statistics may be retained longer to support:
- service monitoring
- product improvement
- high-level compliance analytics
Operational telemetry
Clawscan collects operational telemetry to support reliable service operation.
Telemetry may include:
- scan timestamps
- diagnostic metadata
- operational identifiers
- analysis classifications
Telemetry retention may differ from scan result retention because it serves operational monitoring purposes.
See:
Client-side data retention
Data generated within the client tenant environment may follow retention policies defined by the client organization.
This includes:
- email messages stored in Microsoft 365
- local diagnostic logs
- temporary analysis artefacts
Client organizations remain responsible for defining retention policies within their own infrastructure.
See:
Deletion safeguards
Clawscan implements deletion mechanisms designed to ensure that retained results are removed once the retention window expires.
Deletion procedures are part of the operational management of the platform.