Trust Overview
What this document is:
An overview of the trust principles that guide the design and operation of Clawscan.
Why this matters:
Clawscan is designed to detect potential legal and compliance risks in internal communications. Because these communications may contain sensitive information, the system is built around strict privacy, security, and governance principles.
Who should read this:
All stakeholders evaluating Clawscan, including legal teams, DPOs, IT security teams, HR, and procurement.
When to use this:
Initial vendor evaluation, security reviews, compliance assessments, or internal awareness.
Trust principles
Clawscan is built around five core principles:
- Client-controlled processing
- Minimal data exposure
- Privacy-by-design
- Content-focused risk detection
- Clear responsibility boundaries
These principles shape the architecture, deployment model, and operational governance of the system.
See:
Client-controlled processing
Clawscan is designed so that the analysis of email content occurs inside the client’s own Microsoft 365 and Azure environment.
This means:
- Email content remains under exclusive client control
- GOlegal infrastructure does not receive or process email content
- Processing boundaries are clearly defined
The Clawscan Engine operates within the client tenant and performs analysis locally.
See:
Minimal data exposure
Clawscan is designed to minimise the amount of information transmitted outside the client environment.
The system transmits derived scan results and operational telemetry only, such as:
- classification of potential compliance risks
- risk scores
- operational metadata
- system diagnostics
Raw communication content is not transmitted to GOlegal infrastructure.
Telemetry is used solely for:
- operational monitoring
- service reliability
- licensing and usage management
See:
Privacy-by-design
Clawscan incorporates privacy-by-design principles at both the architectural and governance levels.
Examples include:
- tenant-resident processing
- outbound-only telemetry transmission
- configurable scanning scope
- optional exclusion of private communications
Organizations deploying Clawscan remain responsible for ensuring that scanning policies comply with their internal governance frameworks and applicable regulations.
See:
Content-focused risk detection
Clawscan is designed to analyze communication content in order to detect potential legal or compliance risks.
The system is not intended to evaluate employees, monitor behaviour, or generate performance indicators.
Instead, the platform provides risk detection signals associated with specific communications, which must be reviewed by compliance or legal teams.
This design supports responsible deployment and helps ensure that the system assists human compliance review rather than replacing human judgment.
See:
Clear responsibility boundaries
Clawscan operates under a three-level responsibility model:
| Level | Role | Description |
|---|---|---|
| Project | Client organization | Defines compliance objectives and internal governance policies |
| System | Clawscan platform | Provides technical capabilities to support compliance monitoring |
| Vendor | GOlegal | Operates the Clawscan control plane and provides the software |
This model ensures that compliance responsibilities remain appropriately allocated.
See:
Transparency and trust
Clawscan’s Trust Center provides documentation describing:
- architecture and deployment principles
- security and privacy safeguards
- regulatory positioning
- legal and contractual framework
- operational guidance
This transparency enables organizations to evaluate Clawscan within their own governance and compliance frameworks.
See: