Security & Compliance Overview
What this document is:
A high-level overview of how Clawscan addresses security, privacy, and regulatory compliance.
Why this matters:
Organizations evaluating Clawscan need a clear and structured understanding of how sensitive communications are protected and how compliance responsibilities are managed.
Who should read this:
Legal teams, DPOs, IT security teams, procurement, and executive stakeholders.
When to use this:
Initial vendor evaluation, security review, compliance assessment, or executive briefing.
Executive summary
Clawscan is designed to detect potential legal and compliance risks in internal communications while maintaining strict control over data exposure and processing boundaries.
The platform is built around three core principles:
- Client-controlled processing
- Minimal data exposure
- Clear governance and responsibility boundaries
Unlike traditional SaaS models, Clawscan ensures that communication content remains within the client’s environment and is not transferred to vendor infrastructure.
Architecture and data protection model
Clawscan uses a tenant-resident architecture, meaning that:
- email content is processed within the client’s Microsoft 365 and Azure environment
- GOlegal infrastructure does not access or process raw communication content
- only derived results and operational telemetry are transmitted externally
This architecture significantly reduces data exposure risks and simplifies compliance assessments.
See:
Security safeguards
Clawscan implements a range of technical and organisational measures (TOMs) designed to protect system integrity and data security.
These include a.o.:
- controlled access mechanisms
- secure infrastructure boundaries
- operational monitoring and diagnostics
- risk management practices
Detailed safeguards are described in:
Privacy and data protection
Clawscan is designed following privacy-by-design principles, including:
- minimisation of external data transfers
- tenant-resident data processing
- configurable scanning scope
- clear separation between content analysis and telemetry
In principle, GOlegal does not process personal data related to communication content.
Access to personal data may only occur in limited scenarios such as:
- initial setup and configuration
- customer support or maintenance requests
This is further detailed in:
AI governance and regulatory positioning
Clawscan uses AI to assist in identifying potential compliance risks while maintaining human oversight and decision-making control.
The system is designed to:
- support risk detection, not automated decision-making
- avoid profiling of individuals
- operate as a preparatory and assistive tool
This positioning supports alignment with emerging regulatory frameworks such as the EU AI Act.
See:
Workplace compliance considerations
Clawscan is designed to support organizations in implementing compliant monitoring practices.
However, organizations remain responsible for:
- defining internal monitoring policies
- ensuring compliance with employment and privacy laws
- managing human review processes
Guidance is available in:
Governance and responsibility model
Clawscan operates under a three-level responsibility model:
| Level | Responsibility |
|---|---|
| Project | Client defines compliance objectives and policies |
| System | Clawscan provides technical capabilities |
| Vendor | GOlegal operates the control plane and services |
This ensures that compliance responsibilities remain clearly allocated and aligned with regulatory expectations.
See:
Operational transparency
Clawscan provides a structured Trust Center to support:
- security and compliance assessments
- procurement and vendor due diligence
- internal governance reviews
Documentation is organized to allow stakeholders to quickly access relevant information based on their role and objectives.