MFA requirement Select Mandatory for everyone Mandatory for sensitive roles Optional To decide
Required data hosting location Select European Union United Kingdom Specific country No stated restriction Unknown
Required email / activity retention
Required audit-log retention
Required controls
Microsoft single sign-on
Complete audit log
Export restrictions
IP / country restrictions
Approval for deletion
Automatic session timeout
Backups and recovery testing
Legal, contractual, GDPR, confidentiality, or client-specific obligations
What sensitive information is normally exchanged?
International travel and device security Define access controls for personnel travelling or operating in higher-risk environments.
Frequent travel and operational countries
Devices permitted to access the platform Select Company-managed devices only Managed and approved personal devices Any device with MFA Different rule by role
Current device-management service Select Microsoft Intune Another MDM / MAM service No device management Unknown
Required device compliance checks
Minimum supported OS and security patch level
Current approved application version
Block rooted or jailbroken devices
Device encryption enabled
Strong passcode, biometric unlock, and screen lock
Acceptable mobile threat-defense score
Native app and device attestation
Remote removal of corporate application data
Outdated or non-compliant device policy Select Block immediately Short update grace period, then block Read-only access during grace period Alert security team and require approval
Untrusted or public network policy Select Require always-on corporate VPN Block access outside trusted networks Allow with phishing-resistant MFA Allow read-only access Warn the user only
Temporary travel-access process Select Pre-approved country, dates, user, and device Manager approval for each trip Security-team approval for high-risk countries No special travel process
Offline access and local storage Select No offline data Encrypted metadata only Encrypted selected conversations with expiry Full offline access on managed devices
Lost or stolen device procedure
Countries, regions, IP types, or situations requiring a block or additional approval
Events in the immutable audit log
Sign-in, sign-out, failed access, and MFA
Conversation and attachment viewed
Attachment downloaded or exported
Reply, forward, draft, and approval
Assignment, status, priority, and deadline changes
User, role, integration, and security-policy changes
Device, app version, IP, country, and access-risk decision
Deletion, retention, restoration, and legal hold
Which actions should trigger immediate alerts, session revocation, or investigation?
Reliable OS, jailbreak, encryption, and device-risk enforcement requires managed-device compliance through Microsoft Intune/Entra or a native mobile app with device attestation. A normal browser cannot reliably determine whether a Wi-Fi network is public; the safer control is to require an approved VPN or trusted network.