Security & Data Handling

We built ComplianceAgent UK to help you protect your data - so naturally, protecting yours is our #1 priority. Here's exactly how we keep it safe.

Our Security Promise

Read-Only Access

We request read-only permissions. We don't request send/edit/delete scopes.

No Document Storage

We don't store full emails or files. We scan content during a scan run and store results and minimal metadata (scores, finding summaries, and remediation guidance).

You Stay in Control

Revoke access anytime from your Microsoft or Google account settings. We don't hold the keys - you do.

How Your Data Flows

Here's exactly what happens when you run a scan - step by step.

1

You sign in with Microsoft or Google

We use OAuth - the same secure sign-in used by thousands of apps. We never see or store your password. Your provider gives us a temporary, read-only token.

2

We read your recent emails and files

Using that token, we pull recent emails and documents through Microsoft's or Google's official API. The data travels over an encrypted connection (TLS 1.2+). We don't persist full message/file content.

3

We analyse the content for risks

Our system checks for personal data exposure, phishing signals, and data handling risks during the scan. We store the scan results (scores, finding summaries, and fix steps), not full message/file content.

4

You get your results

We save your posture score, the list of issues found, and the fix steps. That's it. No raw email content or full file content is stored on our servers.

Encryption & Infrastructure

The technical details, for those who want them.

Encryption in Transit

  • All connections use TLS 1.2 or higher (HTTPS everywhere)
  • HSTS headers enforce encrypted connections
  • API calls to Microsoft/Google use their official encrypted endpoints

Encryption at Rest

  • OAuth tokens encrypted at rest (Fernet)
  • Encryption keys stored as environment variables, never in code
  • Database uses encrypted storage provided by our hosting platform

Hosting & Infrastructure

  • Hosted on Render.com - SOC 2 compliant infrastructure
  • Automatic security patching and container isolation
  • PostgreSQL database with encrypted connections
  • Container-level isolation - your data is separated from other accounts

Application Security

  • Security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options
  • Rate limiting on all API endpoints
  • CSRF protection on OAuth flows
  • Session tokens are short-lived and securely rotated

Privacy Guarantees

Clear commitments - not vague promises.

We don't store full emails or documents

We scan content during a scan run through the Microsoft/Google API and store the results (scores, finding summaries, and fix guidance). We do not store full email/file content.

We never sell, share, or monetise your data

Your data is yours. We don't sell it, share it with third parties, or use it for advertising. No exceptions. No "partners" getting access.

We never modify anything in your account

We request read-only permissions. We cannot send emails on your behalf, delete files, or change any settings in your Microsoft 365 or Google Workspace.

You can revoke access at any time

Remove ComplianceAgent UK from your Microsoft or Google account security settings at any time. Once revoked, we can no longer access your data unless you reconnect later.

You can request account deletion

Email us at hello@complianceagent.uk. We'll revoke access immediately and permanently delete your account data within 30 days (billing records may be retained where required by law).

We follow UK GDPR principles

We minimise data collection, maintain a lawful basis for processing, and publish our privacy and data processing terms. This is not a certification.

What We Store vs. What We Don't

Complete transparency about what's on our servers.

What We Store

  • Your name and email (from your sign-in)
  • An encrypted OAuth token (so we can scan on your behalf)
  • Your posture scores and scan history
  • The list of findings (issue title, severity, fix steps)
  • Your plan and billing info (handled by Stripe)

What We Never Store

  • Your emails or email content
  • Your files or documents
  • Your password (we use OAuth - we never see it)
  • Personal data found in your documents (we flag it, not save it)
  • Credit card numbers (Stripe handles all billing)

What Permissions Do We Request?

Here's exactly what we ask for - and why.

Microsoft 365 Permissions

Permission What it does Why we need it
Mail.Read Read your emails To scan for personal data and phishing risks
Files.Read Read your OneDrive files To check documents for sensitive data
User.Read Read your name and email To create your account

All permissions are read-only. We cannot send emails, edit files, or change any settings.

Google Workspace Permissions

Permission What it does Why we need it
drive.file Access only files you grant to the app To scan user-selected or app-authorised files for sensitive data risks
userinfo.email Read your email address To create your account
userinfo.profile Read your name To personalise your dashboard

We request minimum required scopes. Google file scans depend on files you grant to the app.

What If Something Goes Wrong?

You deserve to know your options. Here's exactly what happens.

Your data exposure is minimal by design

We don't store your emails, files, or documents. Even in a worst-case breach scenario, there's no sensitive document content on our servers to expose. The most an attacker could access is your name, email address, and compliance scan results.

We'll notify you immediately

If we ever discover a security incident that affects your data, we will notify you by email within 72 hours - in line with UK GDPR Article 33 requirements. No hiding, no delays.

You can cut us off instantly

Revoke ComplianceAgent's access from your Microsoft or Google account settings at any time. This immediately and permanently cuts all access. You don't need to contact us first.

We're legally accountable

ComplianceAgent UK is a UK-based business, bound by the UK GDPR and Data Protection Act 2018. We have a published Data Processing Agreement and you can file a complaint with the ICO if we fail our obligations.

Account deletion on request

Email hello@complianceagent.uk. We'll revoke access immediately and permanently delete your account data within 30 days (billing records may be retained where required by law).

Current Assurance Status

What is active today, and what is planned next.

SOC 2 Type II

Security, Availability, Confidentiality

Not certified yet

We are not SOC 2 Type II certified yet. Current controls are listed on this page; formal independent audit is a planned milestone.

ISO 27001

Information Security Management

Not certified yet

We are not ISO 27001 certified yet. Certification is a roadmap goal as the service and customer base mature.

Cyber Essentials

UK Government-backed scheme

In progress

UK Government baseline cyber standard. Work is underway; certification is not yet active.

UK GDPR Principles

Data Protection Act 2018

Active

We follow UK GDPR principles: data minimisation, lawful basis, transparent processing, and the right to erasure.

Common Security Questions

Questions we hear from companies before they connect.

Can you read our emails?
Yes - that's how we check for GDPR risks. But we only read them during the scan. We never store your email content, forward it, or share it with anyone. Once the scan is done, the content is gone from our system. We only keep the results (e.g. "We found a national insurance number in an email to John").
Could you send emails from our account?
No. We only request read-only permissions. It's technically impossible for us to send, delete, or modify anything in your email or files. You can verify this in your Microsoft 365 or Google admin panel.
What happens if you get hacked?
Because we don't store your email content or documents, there's nothing sensitive to steal. The OAuth tokens are encrypted, and even if compromised, they only grant read-only access. You can also revoke our access from your Microsoft/Google settings at any time, instantly cutting off any connection.
Where is our data stored?
Our infrastructure runs on Render.com, which provides SOC 2 compliant hosting. The database is PostgreSQL with encrypted connections and encrypted storage. Your scan results (scores, findings, fix steps) are stored there. Your actual emails and documents are never stored anywhere on our systems.
How do we remove ComplianceAgent from our account?
Microsoft 365: Go to myapps.microsoft.com, find ComplianceAgent UK, and click "Revoke".
Google: Go to myaccount.google.com/permissions, find ComplianceAgent UK, and click "Remove Access".

To request account deletion, email hello@complianceagent.uk. We'll revoke access immediately and permanently delete your account data within 30 days (billing records may be retained where required by law).
Do you have SOC 2 or ISO 27001 certification?
Not yet. Today we run on SOC 2 compliant infrastructure (Render.com), encrypt data in transit and at rest, and follow UK GDPR principles. Cyber Essentials is in progress; SOC 2 and ISO 27001 are roadmap milestones.

Still Have Questions?

We're happy to answer any security questions before you connect. Email us or run your first live scan free - no commitment required.

Start Free Live Scan Email Us