At a Glance — Key Facts
Contents
- Who we are and the controller/processor relationship
- What SafeScan accesses — Microsoft Graph permissions
- What SafeScan never accesses
- Why we process this data — lawful basis
- How scan data flows and is handled
- Data retention — what is stored and for how long
- Sub-processors and third-party services
- Security measures
- International data transfers
- Rights of data subjects
- Data Processing Agreement (DPA)
- Changes to this notice
- Contact and complaints
1 Who We Are and the Controller / Processor Relationship
LogiSam Ltd ("we", "LogiSam", "SafeScan") is a company registered in England and Wales. We operate SafeScan, an M365 Security Scanner that connects to your Microsoft 365 tenant via the Microsoft Graph API to analyse tenant configuration, permission settings, identity settings, and security posture — with the goal of identifying risks before Microsoft Copilot is deployed.
Under UK GDPR, the roles are as follows:
| Party | GDPR Role | Responsibilities |
|---|---|---|
| Your organisation (the SafeScan customer) | Data Controller | Determines the purpose and means of processing personal data in your M365 tenant. You instruct SafeScan to run the scan. You decide what remediation steps to take. |
| LogiSam Ltd | Data Processor | Processes M365 tenant metadata solely on your documented instruction — to generate the SafeScan security report. We do not determine the purpose or use the data for any other end. |
| Microsoft Corporation | Sub-processor (via Azure / Graph API) | Hosts the M365 tenant and provides the Graph API through which SafeScan reads metadata. Governed by Microsoft's own Data Processing Addendum. |
Because SafeScan processes data on your behalf, a Data Processing Agreement (DPA) under UK GDPR Article 28 is required between LogiSam and your organisation before a scan is run on a production tenant. See Section 11 for details.
2 What SafeScan Accesses — Microsoft Graph Permissions
SafeScan uses application-level Microsoft Graph API permissions with read-only scope. The following permissions are requested during tenant consent. All permissions are Read only — SafeScan has no write or modify access to your tenant at any time.
Every Graph permission listed below is scoped to read configuration and metadata only. SafeScan reads who has access to what and how policies are configured — it never reads the content of files, emails, chats, or documents.
Reads the list of user accounts in your tenant: display names, UPNs, account status (enabled/disabled), last sign-in timestamps, assigned licences, and department. Used to identify inactive accounts, unlicensed users, and privilege accumulation.
Reads directory objects including groups, service principals, and app registrations. Used to detect over-provisioned groups, external guest memberships, and third-party app access grants.
Reads Entra ID (Azure AD) role assignments. Used to identify which users hold privileged roles (Global Admin, Exchange Admin, SharePoint Admin, etc.) and to flag role sprawl or unconventional assignments.
Reads Conditional Access policies, authentication policies, MFA registration status, and token lifetime configurations. Used to identify MFA gaps and weak authentication policies.
Reads SharePoint site metadata, sharing configurations, and external sharing settings. Specifically: site-level permissions and sharing links. Does not read the content of any documents, lists, or pages stored in SharePoint.
Reads OneDrive and SharePoint file metadata only — file names, sharing permissions, and access control lists. Used to detect files shared with "Everyone" or the entire organisation. File content is never read or accessed.
Reads Microsoft 365 group memberships and guest access settings. Used to identify groups with overly broad external membership that could expose data when Copilot is activated.
Reads the sign-in audit logs and directory audit logs. Used to identify inactive accounts (no sign-in in 90+ days) and recent privileged role assignments — a key indicator of insider threat or compromised admin credentials.
What the permissions are NOT used for
The permissions above are limited strictly to the security scan purposes described. SafeScan does not use these permissions to:
- Build profiles of individual employees beyond what is visible in the scan report
- Monitor ongoing user behaviour or activity over time
- Access or read any personal communications
- Train machine-learning models
- Share tenant data with any third party other than those listed in Section 7
3 What SafeScan Never Accesses
The following data categories are never accessed by SafeScan under any circumstances. These exclusions are enforced both by the narrow Graph permissions granted (no permission exists to access this content) and by the design of the application itself.
SafeScan is a security scanner, not a data reader. It analyses who has access to what — it never reads the content of what they have access to.
| Data Category | Why it is excluded |
|---|---|
| Email content (message bodies, attachments, subject lines) | SafeScan holds no Mail.Read permission. Exchange mailbox content is entirely out of scope. |
| Teams messages and chat content | No Chat.Read or ChannelMessage.Read.All permission is requested or granted. |
| Document and file content | Files.Read.All is used to read permission metadata only; SafeScan never downloads or reads the content of any document, spreadsheet, or presentation. |
| SharePoint page and list item content | Sites.Read.All reads site-level sharing configuration only — not the content of pages, lists, libraries, or forms. |
| Calendar events and meeting content | No Calendars.Read permission. Meeting titles, attendees, and event content are never accessed. |
| HR or People data (performance reviews, salaries, disciplinary records) | SafeScan reads standard directory attributes (name, UPN, department, licence) — not HR system data, even where HR is integrated with M365. |
| Password hashes or credential data | MFA status is read from policy metadata only. No credential or authentication secret is ever accessible via the Graph API. |
| User profile photos | Not requested and not processed. |
4 Why We Process This Data — Lawful Basis
As a Data Processor, LogiSam processes M365 tenant metadata only on the documented instruction of your organisation (the Data Controller). The lawful bases under UK GDPR that your organisation will typically rely on as Data Controller include:
| Processing Activity | Lawful Basis (UK GDPR Article 6) | Notes |
|---|---|---|
| Scanning user account metadata (names, UPNs, licence status, last sign-in) | Article 6(1)(f) — Legitimate interests | Legitimate interest: protecting the organisation's systems and ensuring Microsoft Copilot is deployed securely. Data subjects are employees; reasonable expectation of IT security monitoring in an employment context. |
| Reading admin role assignments and privileged access | Article 6(1)(f) — Legitimate interests | Necessary to protect the organisation from insider threat and over-privileged accounts. Proportionate given that admin role data is already managed by your IT team. |
| Reading Conditional Access and MFA policy configurations | Article 6(1)(c) — Legal obligation (where applicable) and Article 6(1)(f) | Many organisations have a legal or contractual obligation to maintain MFA. Scanning for MFA gaps supports this obligation. |
| Reading file and site sharing metadata | Article 6(1)(f) — Legitimate interests | Identifying overpermissioned sharing protects the organisation and individuals whose data may be exposed. Proportionate: metadata only, not content. |
| Reading sign-in audit logs to identify inactive accounts | Article 6(1)(f) — Legitimate interests | Stale accounts are a significant security risk. Audit log review is a standard and expected IT security measure. |
Legitimate interests assessment (LIA): Your organisation should complete a LIA before using SafeScan if you process employee data under Article 6(1)(f). LogiSam can provide a template LIA on request — email privacy@copilot-365.com.
5 How Scan Data Flows and Is Handled
Step-by-step data flow
- Consent grant: Your Global Administrator grants SafeScan the Microsoft Graph permissions listed in Section 2 during an admin consent flow within your M365 tenant. This produces an OAuth 2.0 application token scoped to read metadata in your tenant.
- Scan execution: SafeScan uses the token to make read-only Graph API calls to Microsoft's servers. Data is retrieved into SafeScan's Azure-hosted scan engine.
- Analysis: The retrieved metadata is analysed in-memory against SafeScan's 285-point security check ruleset to produce findings.
- Report delivery: The findings are compiled into a security report and returned to the authorised user who initiated the scan — via the SafeScan web interface or, if configured, via secure email.
- Purge: The raw metadata retrieved from your tenant is not persisted to disk or database. It is held in memory only for the duration of analysis and released when the scan completes.
No tenant data is stored on LogiSam's systems beyond the duration of the scan. The scan report itself (the output, not the raw data) is retained in your SafeScan account for the period described in Section 6.
Where processing takes place
SafeScan's application servers are hosted on Microsoft Azure in the UK South region. All data retrieved from your tenant is processed within the UK, remaining within the EEA/UK for the duration of the scan. See Section 9 for international transfer details.
Scan authentication and access control
The OAuth token generated at consent time is:
- Stored encrypted at rest within Azure Key Vault, scoped to your organisation's SafeScan account
- Never shared with any other customer, employee, or third party
- Revocable at any time from your Entra ID enterprise applications panel by removing the SafeScan consent
- Valid only for the Graph permissions explicitly granted — it cannot be used to access any other data or service
6 Data Retention — What Is Stored and For How Long
| Data Item | Stored? | Retention Period | Reason |
|---|---|---|---|
| Raw M365 metadata (user lists, policy configs, permissions) | Not stored | Memory only; purged when scan completes | Data minimisation — no downstream purpose requires storage of raw metadata |
| Scan report (findings and remediation roadmap) | Stored | Duration of subscription + 90 days, then permanently deleted | Allows you to access historical scan results, track remediation progress, and compare over time |
| OAuth access token | Stored encrypted | Until consent is revoked by your admin, or subscription ends | Required to re-run scans on your tenant without re-consenting each time |
| Scan audit log (who ran a scan, when, from which IP) | Stored | 12 months from log generation | Security incident investigation and compliance evidence for your organisation |
| Account data (name, email of SafeScan account holder) | Stored | Duration of subscription + 7 years | Contractual and financial record-keeping obligations under HMRC guidance and the Limitation Act 1980 |
When retention periods expire, data is deleted using cryptographic erasure from Azure Storage. You may request earlier deletion of scan reports and raw account data by contacting privacy@copilot-365.com. Deletion requests will be actioned within 30 days.
7 Sub-Processors and Third-Party Services
We use a small number of sub-processors to operate SafeScan. We maintain written data-processing agreements with each sub-processor as required by UK GDPR Article 28(4). We will notify you of any material changes to this list at least 30 days in advance.
| Sub-Processor | Country | Purpose | Data transferred |
|---|---|---|---|
| Microsoft Azure (UK South) | United Kingdom | Hosting SafeScan application servers, databases, and encrypted token storage (Key Vault) | Scan reports, encrypted OAuth tokens, account data, audit logs |
| Microsoft Corporation (Graph API) | United States (via UK datacenter) | API through which SafeScan reads your M365 tenant metadata | Read-only metadata queries; governed by Microsoft's DPA and Standard Contractual Clauses |
| SendGrid / Azure Communication Services | United States | Transactional email delivery (scan completion notifications, account emails) | Recipient name and email address only. No scan content is included in transactional emails unless you configure report-by-email. |
SafeScan does not use any analytics, advertising, or data-brokering third parties. No tenant metadata or scan findings are shared with any party not listed above.
8 Security Measures
LogiSam implements appropriate technical and organisational security measures in accordance with UK GDPR Article 32 and the principle of security by design. Key controls applicable to SafeScan include:
Technical controls
- Encryption in transit: All API communications between SafeScan and Microsoft Graph use TLS 1.2 minimum. All access to the SafeScan web application is over HTTPS.
- Encryption at rest: OAuth tokens are encrypted using Azure Key Vault managed keys. Scan reports stored in Azure Blob Storage use server-side encryption (AES-256).
- Access control: SafeScan employs role-based access control (RBAC). Scan reports and tokens are accessible only to authenticated users in your organisation's SafeScan account.
- Tenant isolation: Each customer's data is logically isolated. Cross-tenant data access is architecturally prevented.
- No persistent raw data: Raw metadata retrieved from your tenant is never written to disk or a database — it is processed in memory only and purged on scan completion.
- Credential revocation: The OAuth consent can be revoked at any time from your Entra ID admin panel, immediately preventing any further access to your tenant.
Organisational controls
- LogiSam staff with access to production systems are subject to background checks and confidentiality obligations.
- Access to production infrastructure is restricted to a small number of authorised engineers and requires MFA.
- Security incidents affecting customer data will be notified to affected customers within 72 hours of LogiSam becoming aware, in line with UK GDPR Article 33.
9 International Data Transfers
SafeScan processes data in the UK by default (Azure UK South). However, some data flows to the United States via sub-processors. The following safeguards are in place:
| Transfer | Destination | Safeguard |
|---|---|---|
| Microsoft Graph API calls | US-based Microsoft servers (data processed in UK datacenters) | Microsoft's EU/UK Standard Contractual Clauses and Data Processing Addendum; Microsoft is UK GDPR Article 46 compliant |
| Transactional email (SendGrid) | United States | UK International Data Transfer Agreement (IDTA) / Standard Contractual Clauses; name and email address only |
No special-category data or scan-report content is transferred outside the UK/EEA as part of standard operation.
10 Rights of Data Subjects
The personal data SafeScan processes (primarily employee user accounts and directory metadata) belongs to individuals whose rights under UK GDPR are important. Because your organisation is the Data Controller, data subjects (your employees) should exercise their rights through your organisation's HR or data-protection contact, not directly through LogiSam.
However, as processor, LogiSam will assist your organisation to honour data-subject requests (UK GDPR Article 28(3)(e)) within a reasonable timeframe and without charge in normal circumstances. Rights include:
Right to Access
Employees may request a copy of any personal data SafeScan holds about them. In practice, SafeScan holds only what is visible in the scan report — which contains tenant-level metadata your IT team can readily extract.
Right to Rectification
If scan data is inaccurate (e.g., an incorrect last sign-in date due to a Graph API bug), you can request a rescan or manual correction. Underlying directory data should be corrected in Entra ID directly.
Right to Erasure
Request deletion of all SafeScan data relating to an individual. LogiSam will delete that individual's data from stored scan reports within 30 days of receiving a documented controller instruction.
Right to Restriction
Processing can be restricted by revoking the SafeScan OAuth consent from your Entra ID admin panel — this immediately halts any further tenant data access.
Right to Portability
Scan reports can be exported in JSON or PDF format from the SafeScan interface at any time, giving you a machine-readable copy of all processed findings.
Right to Object
Where processing is based on legitimate interests, individuals may object. Your organisation (as controller) must assess whether compelling legitimate grounds override the objection in the context of security monitoring.
11 Data Processing Agreement (DPA)
UK GDPR Article 28 requires that a written contract (a DPA) is in place between a data controller and any processor that processes personal data on their behalf. Before SafeScan is used on a production M365 tenant containing personal data about real individuals, a DPA between your organisation and LogiSam Ltd must be executed.
Our standard SafeScan Data Processing Agreement is available on request. It covers: subject matter and duration, nature and purpose of processing, type of personal data and categories of data subjects, obligations and rights of the controller, and sub-processor arrangements. Email privacy@copilot-365.com to request a copy.
The DPA specifies that LogiSam will:
- Process personal data only on documented instructions from your organisation
- Ensure all LogiSam personnel who access the data are bound by confidentiality
- Implement the security measures described in Section 8
- Assist your organisation in responding to data subject requests
- Assist with security audits, breach notifications, and DPIA requirements
- Delete or return all personal data at the end of the service relationship
- Provide evidence of compliance on reasonable request
12 Changes to This Notice
We will update this notice if the data SafeScan processes changes materially — for example, if new Graph permissions are required for new scan features. Material changes will be communicated to active SafeScan customers via email at least 30 days before they take effect. Non-material clarifications (e.g., rewording for clarity without substantive change) may be updated without advance notice. The "Effective" date at the top of this page always reflects the most recent substantive change.
Continued use of SafeScan after a material change takes effect constitutes acceptance of the updated notice, unless you notify us that you object within the 30-day period.
13 Contact and Complaints
If you have a question about this notice, wish to exercise a data-subject right, or want to request the SafeScan DPA, please contact us:
LogiSam Ltd — Privacy & Data Protection
We aim to respond to all privacy enquiries within 5 business days. For data-subject rights requests made through us as processor, we will liaise with your organisation's DPO.
Supervisory authority
If you believe LogiSam has handled personal data unlawfully, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We would always appreciate the opportunity to address your concern directly before you contact the ICO.
This notice should be read alongside the main Copilot 365 Privacy Notice, which covers all personal data processed by LogiSam Ltd across the copilot-365.com website and its full suite of products and services.