Product Privacy Notice

SafeScan Privacy Notice

This notice describes in detail what personal and organisational data SafeScan reads from your Microsoft 365 tenant, why it reads it, how it is processed, and how both LogiSam and your organisation remain compliant with UK GDPR and applicable data-protection law.

Effective: 27 June 2026 Processor: LogiSam Ltd UK GDPR Article 28 Read-only · No content access

At a Glance — Key Facts

Data Controller
Your organisation (the SafeScan customer)
Data Processor
LogiSam Ltd, registered in England & Wales
What SafeScan reads
M365 tenant metadata only — user lists, permissions, policy configurations
What SafeScan never reads
File content, emails, Teams messages, or any personal documents
Data stored by LogiSam?
No — scan results are processed in-session and returned to you only
Privacy contact

  Contents

  1. Who we are and the controller/processor relationship
  2. What SafeScan accesses — Microsoft Graph permissions
  3. What SafeScan never accesses
  4. Why we process this data — lawful basis
  5. How scan data flows and is handled
  6. Data retention — what is stored and for how long
  7. Sub-processors and third-party services
  8. Security measures
  9. International data transfers
  10. Rights of data subjects
  11. Data Processing Agreement (DPA)
  12. Changes to this notice
  13. Contact and complaints

1 Who We Are and the Controller / Processor Relationship

LogiSam Ltd ("we", "LogiSam", "SafeScan") is a company registered in England and Wales. We operate SafeScan, an M365 Security Scanner that connects to your Microsoft 365 tenant via the Microsoft Graph API to analyse tenant configuration, permission settings, identity settings, and security posture — with the goal of identifying risks before Microsoft Copilot is deployed.

Under UK GDPR, the roles are as follows:

PartyGDPR RoleResponsibilities
Your organisation (the SafeScan customer) Data Controller Determines the purpose and means of processing personal data in your M365 tenant. You instruct SafeScan to run the scan. You decide what remediation steps to take.
LogiSam Ltd Data Processor Processes M365 tenant metadata solely on your documented instruction — to generate the SafeScan security report. We do not determine the purpose or use the data for any other end.
Microsoft Corporation Sub-processor (via Azure / Graph API) Hosts the M365 tenant and provides the Graph API through which SafeScan reads metadata. Governed by Microsoft's own Data Processing Addendum.

Because SafeScan processes data on your behalf, a Data Processing Agreement (DPA) under UK GDPR Article 28 is required between LogiSam and your organisation before a scan is run on a production tenant. See Section 11 for details.

2 What SafeScan Accesses — Microsoft Graph Permissions

SafeScan uses application-level Microsoft Graph API permissions with read-only scope. The following permissions are requested during tenant consent. All permissions are Read only — SafeScan has no write or modify access to your tenant at any time.

Every Graph permission listed below is scoped to read configuration and metadata only. SafeScan reads who has access to what and how policies are configured — it never reads the content of files, emails, chats, or documents.

User.Read.All
Application · Read

Reads the list of user accounts in your tenant: display names, UPNs, account status (enabled/disabled), last sign-in timestamps, assigned licences, and department. Used to identify inactive accounts, unlicensed users, and privilege accumulation.

Directory.Read.All
Application · Read

Reads directory objects including groups, service principals, and app registrations. Used to detect over-provisioned groups, external guest memberships, and third-party app access grants.

RoleManagement.Read.Directory
Application · Read

Reads Entra ID (Azure AD) role assignments. Used to identify which users hold privileged roles (Global Admin, Exchange Admin, SharePoint Admin, etc.) and to flag role sprawl or unconventional assignments.

Policy.Read.All
Application · Read

Reads Conditional Access policies, authentication policies, MFA registration status, and token lifetime configurations. Used to identify MFA gaps and weak authentication policies.

Sites.Read.All
Application · Read

Reads SharePoint site metadata, sharing configurations, and external sharing settings. Specifically: site-level permissions and sharing links. Does not read the content of any documents, lists, or pages stored in SharePoint.

Files.Read.All
Application · Read

Reads OneDrive and SharePoint file metadata only — file names, sharing permissions, and access control lists. Used to detect files shared with "Everyone" or the entire organisation. File content is never read or accessed.

Group.Read.All
Application · Read

Reads Microsoft 365 group memberships and guest access settings. Used to identify groups with overly broad external membership that could expose data when Copilot is activated.

AuditLog.Read.All
Application · Read

Reads the sign-in audit logs and directory audit logs. Used to identify inactive accounts (no sign-in in 90+ days) and recent privileged role assignments — a key indicator of insider threat or compromised admin credentials.

What the permissions are NOT used for

The permissions above are limited strictly to the security scan purposes described. SafeScan does not use these permissions to:

3 What SafeScan Never Accesses

The following data categories are never accessed by SafeScan under any circumstances. These exclusions are enforced both by the narrow Graph permissions granted (no permission exists to access this content) and by the design of the application itself.

SafeScan is a security scanner, not a data reader. It analyses who has access to what — it never reads the content of what they have access to.

Data CategoryWhy it is excluded
Email content (message bodies, attachments, subject lines) SafeScan holds no Mail.Read permission. Exchange mailbox content is entirely out of scope.
Teams messages and chat content No Chat.Read or ChannelMessage.Read.All permission is requested or granted.
Document and file content Files.Read.All is used to read permission metadata only; SafeScan never downloads or reads the content of any document, spreadsheet, or presentation.
SharePoint page and list item content Sites.Read.All reads site-level sharing configuration only — not the content of pages, lists, libraries, or forms.
Calendar events and meeting content No Calendars.Read permission. Meeting titles, attendees, and event content are never accessed.
HR or People data (performance reviews, salaries, disciplinary records) SafeScan reads standard directory attributes (name, UPN, department, licence) — not HR system data, even where HR is integrated with M365.
Password hashes or credential data MFA status is read from policy metadata only. No credential or authentication secret is ever accessible via the Graph API.
User profile photos Not requested and not processed.

4 Why We Process This Data — Lawful Basis

As a Data Processor, LogiSam processes M365 tenant metadata only on the documented instruction of your organisation (the Data Controller). The lawful bases under UK GDPR that your organisation will typically rely on as Data Controller include:

Processing ActivityLawful Basis (UK GDPR Article 6)Notes
Scanning user account metadata (names, UPNs, licence status, last sign-in) Article 6(1)(f) — Legitimate interests Legitimate interest: protecting the organisation's systems and ensuring Microsoft Copilot is deployed securely. Data subjects are employees; reasonable expectation of IT security monitoring in an employment context.
Reading admin role assignments and privileged access Article 6(1)(f) — Legitimate interests Necessary to protect the organisation from insider threat and over-privileged accounts. Proportionate given that admin role data is already managed by your IT team.
Reading Conditional Access and MFA policy configurations Article 6(1)(c) — Legal obligation (where applicable) and Article 6(1)(f) Many organisations have a legal or contractual obligation to maintain MFA. Scanning for MFA gaps supports this obligation.
Reading file and site sharing metadata Article 6(1)(f) — Legitimate interests Identifying overpermissioned sharing protects the organisation and individuals whose data may be exposed. Proportionate: metadata only, not content.
Reading sign-in audit logs to identify inactive accounts Article 6(1)(f) — Legitimate interests Stale accounts are a significant security risk. Audit log review is a standard and expected IT security measure.

Legitimate interests assessment (LIA): Your organisation should complete a LIA before using SafeScan if you process employee data under Article 6(1)(f). LogiSam can provide a template LIA on request — email privacy@copilot-365.com.

5 How Scan Data Flows and Is Handled

Step-by-step data flow

  1. Consent grant: Your Global Administrator grants SafeScan the Microsoft Graph permissions listed in Section 2 during an admin consent flow within your M365 tenant. This produces an OAuth 2.0 application token scoped to read metadata in your tenant.
  2. Scan execution: SafeScan uses the token to make read-only Graph API calls to Microsoft's servers. Data is retrieved into SafeScan's Azure-hosted scan engine.
  3. Analysis: The retrieved metadata is analysed in-memory against SafeScan's 285-point security check ruleset to produce findings.
  4. Report delivery: The findings are compiled into a security report and returned to the authorised user who initiated the scan — via the SafeScan web interface or, if configured, via secure email.
  5. Purge: The raw metadata retrieved from your tenant is not persisted to disk or database. It is held in memory only for the duration of analysis and released when the scan completes.

No tenant data is stored on LogiSam's systems beyond the duration of the scan. The scan report itself (the output, not the raw data) is retained in your SafeScan account for the period described in Section 6.

Where processing takes place

SafeScan's application servers are hosted on Microsoft Azure in the UK South region. All data retrieved from your tenant is processed within the UK, remaining within the EEA/UK for the duration of the scan. See Section 9 for international transfer details.

Scan authentication and access control

The OAuth token generated at consent time is:

6 Data Retention — What Is Stored and For How Long

Data ItemStored?Retention PeriodReason
Raw M365 metadata (user lists, policy configs, permissions) Not stored Memory only; purged when scan completes Data minimisation — no downstream purpose requires storage of raw metadata
Scan report (findings and remediation roadmap) Stored Duration of subscription + 90 days, then permanently deleted Allows you to access historical scan results, track remediation progress, and compare over time
OAuth access token Stored encrypted Until consent is revoked by your admin, or subscription ends Required to re-run scans on your tenant without re-consenting each time
Scan audit log (who ran a scan, when, from which IP) Stored 12 months from log generation Security incident investigation and compliance evidence for your organisation
Account data (name, email of SafeScan account holder) Stored Duration of subscription + 7 years Contractual and financial record-keeping obligations under HMRC guidance and the Limitation Act 1980

When retention periods expire, data is deleted using cryptographic erasure from Azure Storage. You may request earlier deletion of scan reports and raw account data by contacting privacy@copilot-365.com. Deletion requests will be actioned within 30 days.

7 Sub-Processors and Third-Party Services

We use a small number of sub-processors to operate SafeScan. We maintain written data-processing agreements with each sub-processor as required by UK GDPR Article 28(4). We will notify you of any material changes to this list at least 30 days in advance.

Sub-ProcessorCountryPurposeData transferred
Microsoft Azure (UK South) United Kingdom Hosting SafeScan application servers, databases, and encrypted token storage (Key Vault) Scan reports, encrypted OAuth tokens, account data, audit logs
Microsoft Corporation (Graph API) United States (via UK datacenter) API through which SafeScan reads your M365 tenant metadata Read-only metadata queries; governed by Microsoft's DPA and Standard Contractual Clauses
SendGrid / Azure Communication Services United States Transactional email delivery (scan completion notifications, account emails) Recipient name and email address only. No scan content is included in transactional emails unless you configure report-by-email.

SafeScan does not use any analytics, advertising, or data-brokering third parties. No tenant metadata or scan findings are shared with any party not listed above.

8 Security Measures

LogiSam implements appropriate technical and organisational security measures in accordance with UK GDPR Article 32 and the principle of security by design. Key controls applicable to SafeScan include:

Technical controls

Organisational controls

9 International Data Transfers

SafeScan processes data in the UK by default (Azure UK South). However, some data flows to the United States via sub-processors. The following safeguards are in place:

TransferDestinationSafeguard
Microsoft Graph API calls US-based Microsoft servers (data processed in UK datacenters) Microsoft's EU/UK Standard Contractual Clauses and Data Processing Addendum; Microsoft is UK GDPR Article 46 compliant
Transactional email (SendGrid) United States UK International Data Transfer Agreement (IDTA) / Standard Contractual Clauses; name and email address only

No special-category data or scan-report content is transferred outside the UK/EEA as part of standard operation.

10 Rights of Data Subjects

The personal data SafeScan processes (primarily employee user accounts and directory metadata) belongs to individuals whose rights under UK GDPR are important. Because your organisation is the Data Controller, data subjects (your employees) should exercise their rights through your organisation's HR or data-protection contact, not directly through LogiSam.

However, as processor, LogiSam will assist your organisation to honour data-subject requests (UK GDPR Article 28(3)(e)) within a reasonable timeframe and without charge in normal circumstances. Rights include:

Right to Access

Employees may request a copy of any personal data SafeScan holds about them. In practice, SafeScan holds only what is visible in the scan report — which contains tenant-level metadata your IT team can readily extract.

Via your organisation's DPO

Right to Rectification

If scan data is inaccurate (e.g., an incorrect last sign-in date due to a Graph API bug), you can request a rescan or manual correction. Underlying directory data should be corrected in Entra ID directly.

Via your organisation's DPO

Right to Erasure

Request deletion of all SafeScan data relating to an individual. LogiSam will delete that individual's data from stored scan reports within 30 days of receiving a documented controller instruction.

Via your organisation's DPO

Right to Restriction

Processing can be restricted by revoking the SafeScan OAuth consent from your Entra ID admin panel — this immediately halts any further tenant data access.

Via your M365 Admin / DPO

Right to Portability

Scan reports can be exported in JSON or PDF format from the SafeScan interface at any time, giving you a machine-readable copy of all processed findings.

Via SafeScan export

Right to Object

Where processing is based on legitimate interests, individuals may object. Your organisation (as controller) must assess whether compelling legitimate grounds override the objection in the context of security monitoring.

Via your organisation's DPO

11 Data Processing Agreement (DPA)

UK GDPR Article 28 requires that a written contract (a DPA) is in place between a data controller and any processor that processes personal data on their behalf. Before SafeScan is used on a production M365 tenant containing personal data about real individuals, a DPA between your organisation and LogiSam Ltd must be executed.

Our standard SafeScan Data Processing Agreement is available on request. It covers: subject matter and duration, nature and purpose of processing, type of personal data and categories of data subjects, obligations and rights of the controller, and sub-processor arrangements. Email privacy@copilot-365.com to request a copy.

The DPA specifies that LogiSam will:

12 Changes to This Notice

We will update this notice if the data SafeScan processes changes materially — for example, if new Graph permissions are required for new scan features. Material changes will be communicated to active SafeScan customers via email at least 30 days before they take effect. Non-material clarifications (e.g., rewording for clarity without substantive change) may be updated without advance notice. The "Effective" date at the top of this page always reflects the most recent substantive change.

Continued use of SafeScan after a material change takes effect constitutes acceptance of the updated notice, unless you notify us that you object within the 30-day period.

13 Contact and Complaints

If you have a question about this notice, wish to exercise a data-subject right, or want to request the SafeScan DPA, please contact us:

LogiSam Ltd — Privacy & Data Protection

We aim to respond to all privacy enquiries within 5 business days. For data-subject rights requests made through us as processor, we will liaise with your organisation's DPO.

Supervisory authority

If you believe LogiSam has handled personal data unlawfully, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

We would always appreciate the opportunity to address your concern directly before you contact the ICO.

This notice should be read alongside the main Copilot 365 Privacy Notice, which covers all personal data processed by LogiSam Ltd across the copilot-365.com website and its full suite of products and services.