Qualead is built for demanding venues. This page centralises all the information your IT department needs to evaluate the solution.
Data flow architecture
Qualead never stores raw email content beyond immediate processing. Here is the complete flow, from receipt to reply.
Email received
Qualead receives a Microsoft Graph webhook notification. The email content is read via the Microsoft API — no permanent copy is made.
AI analysis
The text is sent to the Claude API (Anthropic) for brief information extraction. Anthropic does not retain API data for training.
Calendar check
Qualead queries your Microsoft Graph calendars to verify availability. Read-only — no event creation or modification.
Draft & dashboard
A draft is created in your Outlook (writes only to drafts). The qualified brief is stored in Supabase EU, encrypted, siloed per venue.
Security measures
100% European hosting
Database hosted on Supabase on AWS eu-west-3 (Paris). No client data leaves the European Union. Supabase is SOC 2 Type II and ISO 27001 certified.
Microsoft OAuth 2.0 authentication
The Outlook connection uses Microsoft's OAuth 2.0 protocol exclusively. Qualead never stores your password. Access tokens are encrypted with AES-256 before being written to the database.
Sensitive data encryption
Microsoft tokens (access token, refresh token) are encrypted with a per-environment AES-256 key before any storage. Encryption keys are never held in the database.
Strict data isolation
Each venue has an isolated data space. Row Level Security (RLS) is enabled on all PostgreSQL tables — it is technically impossible for one account to access another's data.
AI & data privacy
Qualead uses the Anthropic Claude API. Per Anthropic's API usage policy, data transmitted via the API is not used to train models. No email content is retained by Anthropic.
No automatic sending
Qualead can never send an email on behalf of your team. Every generated reply is placed as a draft in Outlook. Sending is always manual, validated by a human team member.
Microsoft Graph API
Here are exactly the permissions Qualead requests when connecting to Microsoft 365, and why each one is needed.
Mail.ReadDetect incoming venue hire requests and read their content for AI analysis.
Mail.ReadWriteCreate the draft reply in your Outlook. Limited to drafts — Qualead never modifies your sent or received emails.
Calendars.ReadCheck the availability of your spaces on connected calendars. Read-only — no event creation or modification.
User.ReadRetrieve the email address and Microsoft identifier of the connected user to associate with your Qualead account.
Qualead requests no access to your contacts, OneDrive files, Teams, or any other Microsoft 365 service.
Compliance
Data controller
Ellevate — publisher of Qualead. DPO contact available on request at qualead@ellevate.fr.
Legal basis for processing
Legitimate interest (Article 6.1.f GDPR) for processing incoming professional event requests. Contract (Article 6.1.b) for user account data.
Retention period
Briefs and leads are retained while the account is active. Deletion on request within 30 days. Technical logs are retained for 90 days.
Sub-processors
Supabase (EU hosting), Anthropic API (AI processing — API only, no retention), Microsoft Azure (OAuth), Vercel (deployment).
Data subject rights
Access, rectification, deletion, portability exercisable by email at qualead@ellevate.fr. Response guaranteed within 30 calendar days.
Article 30 Register
A processing register compliant with Article 30 of the GDPR is maintained and available on request for validation by your DPO or IT department.
We respond to any security questionnaire, audit request, or technical validation. Send us your questions directly.