This page is for IT administrators, security teams and Data Protection Officers who have received a Microsoft 365 admin consent request for the application Corstrate Email Tool. Everything you need to make a decision is here.
905c5adb-20b1-4e7f-9d9b-3608e7639721All scopes are delegated (acting on behalf of the consenting user) โ not tenant-wide.
| Scope | Purpose |
|---|---|
Mail.Send |
Send outreach emails from the consenting user's mailbox |
Mail.ReadWrite |
Read inbound replies and move bounce / out-of-office notifications into dedicated sub-folders. No email is deleted or forwarded outside the mailbox. |
User.Read |
Identify the signed-in user (display name, email) |
offline_access |
Refresh access tokens silently (90 days) so the operator does not need to re-authenticate every hour |
If you prefer to grant consent directly without going through the request workflow, contact us at ijelassi@corstrate.com and we will send you a tenant-specific admin consent URL.
You can scope the consent to a specific user or group, require multi-factor authentication, restrict to compliant devices, or apply any other Conditional Access policy. The application is fully compatible with Conditional Access.
Access can be revoked instantly:
After revocation, existing tokens become invalid on the next refresh attempt (typically within one hour).
No. It sends targeted, individually personalised B2B outreach โ one recipient per message โ at a throttled, paced rate (typically low hundreds/day per mailbox), well within Exchange Online service limits (10,000 recipients/day, 30 messages/minute). It is not a newsletter or bulk-marketing blast. Campaigns are launched and supervised by a human operator, and the tool automatically suppresses opt-outs, hard-bounces and companies that already replied.
AI-assisted coding tools were used during development (as in most modern software teams) โ to write source code, never to process data. The running application contains no AI/LLM component, and no customer or mailbox data is ever sent to any AI service (OpenAI, Anthropic, etc.). All code is human-reviewed, version-controlled and covered by an automated test suite. Source code review under NDA is available on request.
Mail.ReadWrite instead of just Mail.Read?Mail.ReadWrite is required to move bounce notifications and out-of-office responses into dedicated sub-folders, so the operator's primary inbox stays clean. The application does not modify, delete or forward email content โ only the folder location of automated notification emails. If Mail.ReadWrite is strictly prohibited by your policy, the application can operate with Mail.Read only.
No. All permissions are delegated (not application-level). The application acts strictly on behalf of the consenting user and can only access that user's own mailbox.
All persistent Corstrate data is stored in the European Union, primarily in France: OVH Roubaix for the application database and Scaleway Paris for encrypted backups. Mailbox content itself remains in your Microsoft 365 tenant's residency region.
Cloudflare (US-HQ, GDPR-compliant, SCC-signed) is used for CDN, edge Workers and Pages โ TLS termination and routing only, no email content persisted at the edge. Microsoft (US-HQ) is the operator of Microsoft Graph API; mailbox content under Graph remains subject to your tenant's data residency. No other US-based sub-processor is used.
Corstrate does not currently hold formal third-party certifications. We can provide a security questionnaire response (SIG Lite, CAIQ or custom) on request. For organisations requiring a certified vendor, please contact us to discuss your specific compliance requirements.
In transit: TLS 1.2+ (TLS 1.3 preferred). Backups at rest: age asymmetric encryption (X25519 + ChaCha20-Poly1305) with the private key held offline by Corstrate. OAuth refresh tokens on the operator's Mac: macOS Keychain encryption (AES-256, Secure Enclave-protected on M-series Macs).
For the personal data processed through the Corstrate Email Tool, Corstrate is the data controller and is responsible for GDPR compliance, as set out in our client contracts. The legal basis is typically legitimate interest (B2B prospecting, GDPR Article 6(1)(f)) or performance of a contract. Corstrate maintains Article 28 GDPR data-processing agreements with its sub-processors (see the sub-processors question).
Operational data is deleted from the Corstrate database within 30 days of termination, or returned to the client in machine-readable format at the client's choice. Encrypted backups are automatically purged according to the backup retention policy (1 year), unless immediate accelerated deletion is requested.
Detection to client notification: within 72 hours. Initial written incident report: within 7 days. Final closure report: within 30 days. Incident notification email: ijelassi@corstrate.com.
The Corstrate Email Tool backend is operated as a managed service; self-hosting by the client is not currently offered. However, the underlying database โ Teable Community Edition โ is open source (AGPL). Source code review of the Corstrate proprietary code under NDA is possible for organisations with specific assurance requirements.
For the complete FAQ (20+ questions) including additional topics like Defender for Cloud Apps integration, Conditional Access details, sub-processor change notification process, and admin consent URL format โ please download the Security Overview PDF or contact us directly.
Any question, any specific compliance requirement, any document not listed here โ we are happy to help.