Outlook Connector in Harvey: Security a Data Privacy

Overview

Harvey's email connectors let individual users connect their own Outlook mailbox and search and retrieve their email directly from the Harvey web app and Harvey for Outlook. The integration is designed around three principles:

• User-initiated access only. Harvey reads email content only when a user actively asks it to search or retrieve specific messages. There is no background scanning or bulk ingestion of any inbox.
• No changes to your Outlook mailbox. Harvey never sends, forwards, deletes, or modifies existing emails. The only write Harvey makes is saving a reply draft to your own Drafts folder, and only after you review and approve it.
• Admin-governed. Your IT administrator must approve Harvey's access at the organizational level before any individual user can connect.

This article covers:

• How email access works and who can connect
• What Harvey stores and for how long
• Access control, admin consent, and revoking access
• How sensitivity labels and protected content are handled
• Privileged content and ethical walls
• Protection against malicious emails
• Audit logging and what administrators can see

How Email Access Works

Email access in Harvey requires two layers of approval before anything can be read:

1. Organizational consent. Before any user can connect, Harvey's access must be approved at the organizational level. This happens through two separate approvals:

   1. Connector enablement (in Harvey). A workspace admin must enable the Outlook connector for your workspace.
   2. Tenant consent (in Microsoft Entra). If your Entra policy requires admin consent, a tenant admin grants Harvey access at the tenant level. If your tenant allows user consent instead, each user self-approves when they connect.
2. Individual connection. Each user personally connects their own Outlook account from Harvey's Settings. Harvey can only access the mailbox of a user who has connected their own account. No one can connect, or search, another person's inbox through Harvey.

Once connected, Harvey accesses email only in response to an explicit user request, such as asking Harvey to find correspondence on a matter or retrieve a specific message. Search queries are sent to the Microsoft Graph API on behalf of the authenticated user, using that user's own credentials. This means Harvey can never see more than the user could see themselves.

What Harvey Stores and for How Long

Harvey never syncs, indexes, or copies your full Outlook inbox. Only the specific messages and attachments retrieved for your query are copied into Harvey's secure storage and indexed for that conversation, under the same retention as other files you add to Harvey:

• When Harvey reads an email or attachment to support a conversation, that content is saved to your workspace's dedicated storage so users can click through to cited sources later and is subject to your workspace retention policy.
• Search snippets aren't saved as separate documents. Full messages and attachments that Harvey retrieves while answering your question are stored for that conversation.
• Search queries aren't separately indexed or cached. Your query is stored only as part of the conversation record and is subject to your workspace retention policy.

Retention

Stored email content follows your organization's workspace retention policy. In addition:

• Each conversation stores its own copy of the email content that it read; that copy is deleted when the conversation is deleted or expires under your retention policy.
• If the workspace itself is deleted, associated email content is removed.

Access Control and Revoking Access

Access Control

Your IT administrator must approve Harvey's access to your organization's mailboxes before any individual user can connect. Once approved, admins control who can connect at two levels:

• Workspace level. The connector can be enabled or disabled for the entire workspace.
• Per user or role. Admins can grant or revoke the Outlook permission for individual users or by role, and roles can map to your identity provider groups through SAML or SCIM.

A user can connect only when the workspace toggle is on and they have the per-user permission. Guest users are always blocked from connecting email accounts, regardless of these settings.

Revoking access

Access can be revoked in three ways:

• By the user. Users can disconnect their own email account at any time from Harvey's Settings. Disconnection takes effect immediately.
• By a Microsoft administrator (in Entra ID). An admin can revoke Harvey's access to mailboxes from Entra ID, the same place the connection was approved. Harvey detects the revocation on its next token refresh and can no longer access the mailbox.
• By a Harvey administrator (in Harvey). Removing a user from the Harvey workspace immediately and permanently deletes that user's Harvey login and all of their stored email-connector tokens.

Sensitivity Labels and Protected Content

Harvey only evaluates a message's protection when it fetches the full content of an email. Search results (subject line, sender, and snippet) are not checked.

Microsoft Sensitivity Labels (MIP)

When Harvey reads a labeled message, it records the label's name and identifier in the audit log; the message content (which Harvey treats as Customer Data) is never logged.

Labels don't block Harvey from reading the message: label taxonomies are defined differently by each organization, so a label alone isn't a reliable signal of sensitivity. Harvey notes which label was present for your audit trail, but doesn't interpret the label or change what it does based on it.

Information Rights Management (IRM)

Rights-managed messages are protected by Microsoft, not by a Harvey-side check; the Microsoft Graph API returns a placeholder body rather than the real content to any third-party application, so Harvey never receives the content to begin with.

Encrypted Messages and Attachments

Harvey skips content it cannot cryptographically read:

• Opaque S/MIME-encrypted messages
• Password-protected or certificate-encrypted attachments

For these, Harvey returns identifiers only (sender, subject, timestamp). No content is stored or passed to the AI. The AI receives a structured signal that the message could not be read because it is encrypted, and will typically explain this in its response.

In summary, labeled content is always readable by the Harvey app, whereas cryptographically unreadable content is always skipped.

Privileged Content and Ethical Walls

Attorney-client privilege

With email connectors, users search their own inbox, which is content they already have access to. The act of Harvey reading that content does not itself implicate privilege. The main consideration is downstream: if a user shares a Harvey conversation containing privileged email content, it becomes visible to whoever the conversation is shared with. Apply the same care to sharing Harvey conversations that you would to forwarding the underlying email.

To support oversight, Harvey's audit logs flag signals relevant to privilege, including whether a message's subject line contained common indicators of privileged content. Refer to Audit Logging below for more information.

Ethical walls and conflict checks

If your organization uses ethical walls in Harvey, users must tag their query with the relevant client matter. Because emails are not mapped to client matters, an inbox search may surface any email the system deems relevant to the query, including messages related to other matters the user has access to in their own inbox. Users working under ethical wall policies should keep this in mind when searching their email and when sharing results.

Protection Against Malicious Emails

Email is a common vector for prompt injection, where a malicious message attempts to embed instructions for an AI system. Harvey uses several layered controls to protect against this:

• Content and instruction separation. Email content is clearly separated from Harvey's instructions, so the AI understands it is reading data, not receiving commands.
• Safe handling of links and images. Hidden tracking pixels are removed from emails before Harvey sees them, and Harvey ignores embedded images or external links from email content in its responses.
• Isolated rendering. Email HTML is displayed inside a secure, isolated container that prevents scripts from running or data from being sent externally.

The AI's mailbox tools are strictly read-only, so a malicious email cannot cause Harvey to take any action in your mailbox. While Harvey can create a reply draft, it will only do so when you explicitly ask and will never send without an explicit user request.

Audit Logging

Harvey generates an audit record for every mailbox operation: searches, message reads, and attachment reads. Each record includes:

• The user, workspace, operation type, outcome, and timestamp
• Signals to support incident response, including whether the sender was from outside your organization, whether a sensitivity label was present, whether the message was encrypted, and whether the subject line contained common indicators of privileged content

Email and attachment content, and the AI's reasoning and output, are never written to the audit log. That content is persisted only in your organization's own storage, to enable citations and thread history.

FAQs

Is our email content used to train Harvey's models?

No. Harvey's standard data usage policy applies: customer data is never used for model training.

Can email connectors be disabled for specific users or groups?

Yes. Beyond the workspace permission level, admins can grant or revoke the Outlook permission per user or per role, and roles can map to your identity provider groups through SAML or SCIM, so you can enable the connector for the workspace while limiting it to specific people or teams.

To connect, a user needs both the workspace permission and the per-user permission toggled on. The Outlook connector must also be made available to your workspace on Harvey's side. This is a rollout setting, rather than an admin access control