Security & Data Handling

We built ComplianceAgent UK to help you protect your data - so naturally, protecting yours is our #1 priority. Here's exactly how we keep it safe.

Our Security Promise

Read-Only Access

We request read-only permissions. We don't request send/edit/delete scopes.

No Document Storage

We don't store full emails or files. We scan content during a scan run and store results and minimal metadata (scores, finding summaries, and remediation guidance).

You Stay in Control

Revoke access anytime from your Microsoft or Google account settings. We don't hold the keys - you do.

How Your Data Flows

Here's exactly what happens when you run a scan - step by step.

1

You sign in with Microsoft or Google

We use OAuth - the same secure sign-in used by thousands of apps. We never see or store your password. Your provider gives us a temporary, read-only token.

2

We read the provider data you authorise

Using that token, we pull the permitted Microsoft or Google data through official APIs. Microsoft can include email and files; Google currently supports file access plus profile details. The data travels over an encrypted connection (TLS 1.2+). We do not persist full message/file content.

3

We analyse the content for risks

Our system checks for personal data exposure, phishing signals, and data handling risks during the scan. We store the scan results (scores, finding summaries, and fix steps), not full message/file content.

4

You get your results

We save your posture score, the list of issues found, and the fix steps. That's it. No raw email content or full file content is stored on our servers.

Encryption & Infrastructure

The technical details, for those who want them.

Encryption in Transit

  • All connections use TLS 1.2 or higher (HTTPS everywhere)
  • HSTS headers enforce encrypted connections
  • API calls to Microsoft/Google use their official encrypted endpoints

Encryption at Rest

  • OAuth tokens encrypted at rest (Fernet)
  • Encryption keys stored as environment variables, never in code
  • Database uses encrypted storage provided by our hosting platform

Hosting & Infrastructure

  • Hosted on Render.com (Render holds SOC 2 Type II certification)
  • Automatic security patching and container isolation
  • PostgreSQL database with encrypted connections
  • Container-level isolation - your data is separated from other accounts

Application Security

  • Security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options
  • Rate limiting on all API endpoints
  • CSRF protection on OAuth flows
  • Session tokens are short-lived and securely rotated

Privacy Guarantees

Clear commitments - not vague promises.

We don't store full emails or documents

We scan content during a scan run through the Microsoft/Google API and store the results (scores, finding summaries, and fix guidance). We do not store full email/file content.

We never sell, share, or monetise your data

Your data is yours. We do not sell it or use it for advertising. We only share data with the subprocessors and infrastructure needed to deliver the service, as described in our policies and agreements.

We never modify anything in your account

We request read-only permissions. We cannot send emails on your behalf, delete files, or change any settings in your Microsoft 365 or Google Workspace.

You can revoke access at any time

Remove ComplianceAgent UK from your Microsoft or Google account security settings at any time. Once revoked, we can no longer access your data unless you reconnect later.

You can request account deletion

Email us at karimtaitt@complianceagentuk.com. We'll revoke access immediately and permanently delete your account data within 30 days (billing records may be retained where required by law).

We follow UK GDPR principles

We minimise data collection, maintain a lawful basis for processing, and publish our privacy and data processing terms. This is not a certification.

What We Store vs. What We Don't

Complete transparency about what's on our servers.

What We Store

  • Your name and email (from your sign-in)
  • An encrypted OAuth token (so we can scan on your behalf)
  • Your posture scores and scan history
  • The list of findings (issue title, severity, fix steps)
  • Your plan and billing info (handled by Stripe)

What We Never Store

  • Your emails or email content
  • Your files or documents
  • Your password (we use OAuth - we never see it)
  • Personal data found in your documents (we flag it, not save it)
  • Credit card numbers (Stripe handles all billing)

What Permissions Do We Request?

Here's exactly what we ask for - and why.

Microsoft 365 Permissions

Permission What it does Why we need it
Mail.Read Read permitted mailbox content To scan permitted mailbox content for personal data and phishing risks
Files.Read Read your OneDrive files To check documents for sensitive data
User.Read Read your name and email To create your account

All Microsoft permissions are read-only. We cannot send emails, edit files, or change any settings.

Google Workspace Permissions

Permission What it does Why we need it
gmail.readonly Read permitted mailbox content When Google mailbox scanning is enabled, this lets us check inbox content for phishing and sensitive-data risks
drive.readonly / drive.file Read permitted Google Drive files To scan connected or app-authorised files for sensitive data risks
userinfo.email Read your email address To create your account
userinfo.profile Read your name To personalise your dashboard

Exact Google scopes depend on the connected flow and the features you enable for that workspace. We only request read-only access for the mailbox and Drive data needed for the scan you choose.

What If Something Goes Wrong?

You deserve to know your options. Here's exactly what happens.

Your data exposure is minimal by design

We don't store your emails, files, or documents. Even in a worst-case breach scenario, there's no sensitive document content on our servers to expose. The most an attacker could access is your name, email address, and compliance scan results.

We'll notify you immediately

If we discover a security incident affecting your data, we will notify you without undue delay and provide updates in line with our legal obligations, including the UK GDPR timelines that apply to us.

You can cut us off instantly

Revoke ComplianceAgent's access from your Microsoft or Google account settings at any time. This immediately and permanently cuts all access. You don't need to contact us first.

We're legally accountable

ComplianceAgent UK is a UK-based business, bound by the UK GDPR and Data Protection Act 2018. We have a published Data Processing Agreement and you can file a complaint with the ICO if we fail our obligations.

Account deletion on request

Email karimtaitt@complianceagentuk.com. We'll revoke access immediately and permanently delete your account data within 30 days (billing records may be retained where required by law).

Current Assurance Status

What is active today, and what is planned next.

SOC 2 Type II

Security, Availability, Confidentiality

Not certified yet

We are not SOC 2 Type II certified yet. Current controls are listed on this page; formal independent audit is a planned milestone.

ISO 27001

Information Security Management

Not certified yet

We are not ISO 27001 certified yet. Certification is a roadmap goal as the service and customer base mature.

Cyber Essentials

UK Government-backed scheme

In progress

UK Government baseline cyber standard. Work is underway; certification is not yet active.

UK GDPR Principles

Data Protection Act 2018

Active

We follow UK GDPR principles: data minimisation, lawful basis, transparent processing, and the right to erasure.

Common Security Questions

Questions we hear from companies before they connect.

Can you read our emails?
Yes - that's how we check for GDPR risks. But we only read them during the scan. We never store your email content, forward it, or share it with anyone. Once the scan is done, the content is gone from our system. We only keep the results (e.g. "We found a national insurance number in an email to John").
Could you send emails from our account?
No. We only request read-only permissions. It's technically impossible for us to send, delete, or modify anything in your email or files. You can verify this in your Microsoft 365 or Google admin panel.
What happens if you get hacked?
Because we don't store your email content or documents, there's nothing sensitive to steal. The OAuth tokens are encrypted, and even if compromised, they only grant read-only access. You can also revoke our access from your Microsoft/Google settings at any time, instantly cutting off any connection.
Where is our data stored?
Our infrastructure runs on Render.com, which provides SOC 2 compliant hosting. The database is PostgreSQL with encrypted connections and encrypted storage. Your scan results (scores, findings, fix steps) are stored there. Your actual emails and documents are never stored anywhere on our systems.
How do we remove ComplianceAgent from our account?
Microsoft 365: Go to myapps.microsoft.com, find ComplianceAgent UK, and click "Revoke".
Google: Go to myaccount.google.com/permissions, find ComplianceAgent UK, and click "Remove Access".

To request account deletion, email karimtaitt@complianceagentuk.com. We'll revoke access immediately and permanently delete your account data within 30 days (billing records may be retained where required by law).
Do you have SOC 2 or ISO 27001 certification?
Not yet. Today we run on SOC 2 compliant infrastructure (Render.com), encrypt data in transit and at rest, and follow UK GDPR principles. Cyber Essentials is in progress; SOC 2 and ISO 27001 are roadmap milestones.

Still Have Questions?

We're happy to answer any security questions before you connect. Email us or run your first live scan free - no commitment required.

Start Free Live Scan Email Us