Corstrate ยท Mailing

Reviewing a Corstrate Email Tool consent request?

This page is for IT administrators, security teams and Data Protection Officers who have received a Microsoft 365 admin consent request for the application Corstrate Email Tool. Everything you need to make a decision is here.

Quick facts

Application name
Corstrate Email Tool
Application (client) ID
905c5adb-20b1-4e7f-9d9b-3608e7639721
Publisher
Corstrate โœ“ Microsoft Publisher Verified
Application type
Public client (OAuth 2.0 Authorization Code with PKCE โ€” no client secret)
Account types
Multi-tenant โ€” delegated permissions only
Sending
Targeted B2B, one recipient per message, rate-limited (low hundreds/day per mailbox) โ€” not a bulk / mass-mailing tool
Data residency
European Union (primarily France: OVH Roubaix + Scaleway Paris)
Contact

Microsoft Graph permissions requested

All scopes are delegated (acting on behalf of the consenting user) โ€” not tenant-wide.

ScopePurpose
Mail.Send Send outreach emails from the consenting user's mailbox
Mail.ReadWrite Read inbound replies and move bounce / out-of-office notifications into dedicated sub-folders. No email is deleted or forwarded outside the mailbox.
User.Read Identify the signed-in user (display name, email)
offline_access Refresh access tokens silently (90 days) so the operator does not need to re-authenticate every hour
What the application does NOT do: no access to other mailboxes, no calendar / contacts / OneDrive / SharePoint / Teams access, no email deletion, no forwarding outside the mailbox, no tenant-level administrative permission required.

How to approve

Option 1 โ€” From the admin consent request notification

  1. Open Azure Portal โ†’ Microsoft Entra ID โ†’ Enterprise Applications โ†’ Admin consent requests
  2. Find the request for "Corstrate Email Tool"
  3. Review the justification submitted by the operator
  4. Click Approve (or Deny)

Option 2 โ€” Direct admin consent URL

If you prefer to grant consent directly without going through the request workflow, contact us at ijelassi@corstrate.com and we will send you a tenant-specific admin consent URL.

Option 3 โ€” Restrict to specific users via Conditional Access

You can scope the consent to a specific user or group, require multi-factor authentication, restrict to compliant devices, or apply any other Conditional Access policy. The application is fully compatible with Conditional Access.

How to revoke at any time

Access can be revoked instantly:

After revocation, existing tokens become invalid on the next refresh attempt (typically within one hour).

Frequently asked questions

Is this a bulk email or mass-mailing tool?

No. It sends targeted, individually personalised B2B outreach โ€” one recipient per message โ€” at a throttled, paced rate (typically low hundreds/day per mailbox), well within Exchange Online service limits (10,000 recipients/day, 30 messages/minute). It is not a newsletter or bulk-marketing blast. Campaigns are launched and supervised by a human operator, and the tool automatically suppresses opt-outs, hard-bounces and companies that already replied.

Was AI used to build this? Does any AI process our data?

AI-assisted coding tools were used during development (as in most modern software teams) โ€” to write source code, never to process data. The running application contains no AI/LLM component, and no customer or mailbox data is ever sent to any AI service (OpenAI, Anthropic, etc.). All code is human-reviewed, version-controlled and covered by an automated test suite. Source code review under NDA is available on request.

Why does the application need Mail.ReadWrite instead of just Mail.Read?

Mail.ReadWrite is required to move bounce notifications and out-of-office responses into dedicated sub-folders, so the operator's primary inbox stays clean. The application does not modify, delete or forward email content โ€” only the folder location of automated notification emails. If Mail.ReadWrite is strictly prohibited by your policy, the application can operate with Mail.Read only.

Can the application access mailboxes other than the one that consented?

No. All permissions are delegated (not application-level). The application acts strictly on behalf of the consenting user and can only access that user's own mailbox.

Where is our data physically stored?

All persistent Corstrate data is stored in the European Union, primarily in France: OVH Roubaix for the application database and Scaleway Paris for encrypted backups. Mailbox content itself remains in your Microsoft 365 tenant's residency region.

Do you use US-based sub-processors?

Cloudflare (US-HQ, GDPR-compliant, SCC-signed) is used for CDN, edge Workers and Pages โ€” TLS termination and routing only, no email content persisted at the edge. Microsoft (US-HQ) is the operator of Microsoft Graph API; mailbox content under Graph remains subject to your tenant's data residency. No other US-based sub-processor is used.

Is the application SOC 2 / ISO 27001 / HIPAA certified?

Corstrate does not currently hold formal third-party certifications. We can provide a security questionnaire response (SIG Lite, CAIQ or custom) on request. For organisations requiring a certified vendor, please contact us to discuss your specific compliance requirements.

How is data encrypted?

In transit: TLS 1.2+ (TLS 1.3 preferred). Backups at rest: age asymmetric encryption (X25519 + ChaCha20-Poly1305) with the private key held offline by Corstrate. OAuth refresh tokens on the operator's Mac: macOS Keychain encryption (AES-256, Secure Enclave-protected on M-series Macs).

What is the GDPR legal basis for processing our data?

For the personal data processed through the Corstrate Email Tool, Corstrate is the data controller and is responsible for GDPR compliance, as set out in our client contracts. The legal basis is typically legitimate interest (B2B prospecting, GDPR Article 6(1)(f)) or performance of a contract. Corstrate maintains Article 28 GDPR data-processing agreements with its sub-processors (see the sub-processors question).

What happens to our data if we terminate the engagement?

Operational data is deleted from the Corstrate database within 30 days of termination, or returned to the client in machine-readable format at the client's choice. Encrypted backups are automatically purged according to the backup retention policy (1 year), unless immediate accelerated deletion is requested.

What is your incident response timeline?

Detection to client notification: within 72 hours. Initial written incident report: within 7 days. Final closure report: within 30 days. Incident notification email: ijelassi@corstrate.com.

Can we self-host the application or audit the source code?

The Corstrate Email Tool backend is operated as a managed service; self-hosting by the client is not currently offered. However, the underlying database โ€” Teable Community Edition โ€” is open source (AGPL). Source code review of the Corstrate proprietary code under NDA is possible for organisations with specific assurance requirements.

For the complete FAQ (20+ questions) including additional topics like Defender for Cloud Apps integration, Conditional Access details, sub-processor change notification process, and admin consent URL format โ€” please download the Security Overview PDF or contact us directly.

Get in touch

Any question, any specific compliance requirement, any document not listed here โ€” we are happy to help.

โœ‰ Email ijelassi@corstrate.com