Executive Summary: ComplyBar helps organisations identify, assess and manage information governance, compliance and data-handling risks across communications, repositories and business workflows. The platform is designed on a metadata-only model - structured governance signals are recorded, never the content itself. No email text, message body, document content, keystroke, or screenshot is collected or transmitted. Organisations retain full ownership and control of their information at all times.
Customer Data Ownership: Your organisation remains the owner and controller of its information. ComplyBar is designed to provide visibility into governance, compliance and information handling risks while minimising the collection and retention of content data. The platform is intended to support organisations in maintaining control of their own information assets.
β
Never Collected or Stored
πEmail body or message text
πTyped content from compose windows
πFile content or document text
πKeystrokes or screen recordings
πBrowser history or visited URLs
πSubject lines or recipient addresses
πThird-party authentication tokens
πUploaded file content after scanning
π What Is Recorded
πDetection timestamp (UTC)
πPlatform / channel name (Gmail, ChatGPTβ¦)
πEvent type (warning shown, dismissedβ¦)
πRisk category labels - not triggering text
πSeverity level (Low, Medium, High)
πUser identifier and organisation reference
πGovernance category reference (not the triggering text)
πFile name only - no content (repository scans)
Architectural Guarantees
π
In-Browser Detection
Rules cached locally. Scanning happens inside the browser tab. No message content sent over the network.
π’
Flexible Deployment
Flexible Deployment Options
ComplyBar supports cloud-hosted, customer-controlled, private-cloud and customer-managed deployment models depending on organisational requirements.
π
Read-Only OAuth
Cloud drive connectors use read-only OAuth scopes. ComplyBar cannot modify or delete any files.
π§Ή
Ephemeral File Processing
Uploaded files scanned in memory and discarded within seconds. Never written to disk.
π
Tenant Isolation
Server-side filtering ensures no tenant can access another tenant's data regardless of the request.
π
Secure Passwords
All credentials hashed using industry-standard algorithms. Plaintext passwords are never stored.
Capability Privacy Model
| Capability | Content Stored? | Data Retained | Notes |
|---|
| Communication Monitoring |
No |
Governance event metadata, risk category labels, severity level |
Detection occurs entirely within the user's browser - no content leaves the device |
| Baseline Risk Assessment (Silent) |
No |
Same governance metadata as above - no warning shown to the user |
Used to establish a risk baseline before active interventions are introduced |
| Individual File Compliance Check |
No |
File name, governance categories identified, compliance score |
Files assessed within the platform and discarded after scoring - content not retained |
| Document Repository Assessment |
No |
Per-document governance scores and finding labels; aggregate governance scores |
Documents assessed and discarded - no document content retained in records |
| Connected Drive Assessment (Automated) |
No |
Assessment record as above; read-only connection credential |
Documents retrieved, assessed, and discarded - read-only access only; no files modified |
| Policy Document Analysis |
Suggestions only |
Generated improvement recommendations; review status per recommendation |
Original policy document is not retained after analysis completes |
| Exception and Approval Management |
Metadata |
Justification provided by user, approval status, timestamps |
User-submitted justification text stored for governance audit trail |
POPIA Alignment (South Africa)
π’ Responsible Party
Your organisation is the Responsible Party. ComplyBar acts as Operator - processing governance metadata on your behalf only.
π Data Minimisation
Only governance metadata collected. Work email is the only personal data in records. No message content or document text stored.
βοΈ Information Officer Support
Governance audit trail directly supports the IO's statutory POPIA obligations and incident reporting requirements.
π Data Residency
Self-hosted, customer-managed cloud, and South Africa-hosted deployment options available. All data stays within your chosen environment.
Recommended Pilot Approach
1
Demo Review
Demo repository or test files - no live data
2
Limited User Group
Selected department, full functionality, controlled scope
3
Metadata Assessment
Silent baseline - risks measured without workflow disruption
4
Review Findings
Review risk distribution and recommendations with your team
5
Decide on Rollout
Active interventions, broader deployment, governance integration
Compliance Framework Alignment
GDPR / UK GDPR: Metadata-only model minimises personal data processing. The user identifier (typically a work email) is the only personal data in governance records. The deploying organisation is the data controller - no content data is transferred to third parties. |
ISO 27001: Full governance audit trail supports systematic logging and monitoring requirements. |
SOC 2: Systematic audit logging supports Security and Availability service criteria. |
Cyber Essentials: HTTPS-only communications; no elevated operating system permissions required.
Public Security Summary
This summary is intentionally high-level. Detailed architecture, controls, deployment configuration and full technical documentation can be shared under NDA or during a controlled pilot review.