Shared Responsibility Model
What this document is:
An overview of how responsibilities are distributed between the client organization and GOlegal when deploying and operating Clawscan.
Why this matters:
Clawscan operates partly within the client’s own Microsoft 365 and Azure environment. Understanding which party is responsible for which components is essential for security, compliance, and operational governance.
Who should read this:
IT teams, security teams, compliance officers, DPOs, and procurement reviewers.
When to use this:
Security reviews, vendor risk assessments, deployment planning, and internal governance documentation.
Overview
Clawscan follows a shared responsibility model.
Different parties are responsible for different aspects of the system depending on where processing occurs and who controls the infrastructure.
The responsibility model reflects the architecture of the platform:
- communication content processing occurs within the client tenant
- the Clawscan platform provides software and operational services
- the client organization defines governance and monitoring policies
See:
Responsibility layers
Responsibilities can be understood across three layers.
| Layer | Responsible party | Description |
|---|---|---|
| Project | Client organization | Defines compliance objectives, monitoring policies, and governance framework |
| System | Clawscan platform | Provides software capabilities enabling compliance signal detection |
| Vendor | GOlegal | Operates the Clawscan control plane and provides platform services |
Client responsibilities
The client organization remains responsible for:
Infrastructure and tenant configuration
Because Clawscan operates within the client tenant, the client remains responsible for:
- Microsoft 365 tenant security
- Azure tenant configuration
- Exchange Online configuration
- Identity and access management
- Azure OpenAI provisioning and management
Governance and monitoring policies
Organizations deploying Clawscan must define how the system is used within their internal governance framework.
Typical responsibilities include:
- defining monitoring objectives
- establishing internal review procedures
- ensuring employee transparency where required
- handling alerts generated by the system
See:
GOlegal responsibilities
GOlegal is responsible for operating the Clawscan platform components under its control.
These responsibilities include:
- operating the Clawscan control plane
- managing licensing and usage monitoring
- maintaining the Clawscan software
- monitoring platform reliability
- providing technical support
GOlegal does not access or process email content stored in the client tenant.
See:
Clawscan system responsibilities
The Clawscan platform provides the technical capabilities required for compliance signal detection.
These include:
- communication analysis within the client tenant
- generation of compliance risk signals
- operational telemetry transmission
- platform reliability monitoring
Clawscan outputs are signals intended to support human compliance review.
The platform does not make automated decisions affecting individuals.
See:
Why this model matters
The shared responsibility model helps ensure that:
- organizations retain control over their communication data
- processing boundaries are clearly defined
- governance responsibilities remain with the organization deploying the system
This approach supports privacy-by-design principles and transparent compliance governance.
See: