Security FAQ
Security, privacy, and data handling practices for the Thomson Reuters CoCounsel M365 add-in for Outlook, including Microsoft Graph permissions, AI safety measures, and data protection controls.
M365 Add-ins
An M365 add-in is an extension that adds extra features or functionalities to Microsoft 365 applications, such as Word, Excel, PowerPoint, Outlook, and others. These add-ins enhance productivity, streamline workflows, or integrate external services directly into Microsoft 365 apps. This specific Thomson Reuters Add-in has been built for Microsoft Outlook.
The system follows the Limit Collection Principle by collecting or creating only the minimum amount of data needed
We add only the minimum data required to run the features of the application and deliver a great user experience. Users always control the features and can easily turn them off and adjust the application settings. The application transfers data from Outlook to CoCounsel, and we don’t aim to get any personal data. Data collection happens only when features need to have it to run, providing clear benefits to final users.
Systems implement safeguards for storing and transferring data, with defined security controls in place
- We encrypt personal and sensitive data using cryptography algorithms before storing it.
- We use secure APIs to pass the data between client and server (Thomson Reuters CoCounsel APIs).
- We rely on CoCounsel access tokens to identify the permissions for users to perform various actions on the main platform.
- Our application has a gateway that filters all requests for malicious content. We use encryption of data at rest and in transit, lock down our production environment with access only to authorized support and operations staff, and manage all resources with restricted access via our firewall and application gateway.
Microsoft Graph is required
We use Microsoft Graph REST APIs to turn on content interactions between Outlook and CoCounsel. Microsoft Graph adheres to the security and compliance standards of Microsoft 365, ensuring that data interactions are secure and comply with organizational policies. We get your consent to grant access at the 1st use of the application.
Microsoft Graph
access permissions are required. They are usually managed via Microsoft Entra
.Find the list of delegated permissions required in the following list:
- Contacts.Read- Read user contacts
- email- View users’ email address
- Mail.Read- Read user mail
- Mail.ReadWrite- Read and write access to user mail
- User.Read- Sign in and read the user profile
Mark 
Admin consent request
as No
for all of them. To grant access for your organization, follow the steps in this video.
AI features safety
Thomson Reuters employs a multi-faceted approach to protect traditional and generative AI models integrated as features within our product portfolio. To align our approach with multiple regulatory frameworks and follow Thomson Reuters' Data and AI Ethics Principles.
- We prioritize security and privacy in our use of data throughout the design, development, and deployment of our data and AI products and services.
- We strive to maintain meaningful human involvement and treat people fairly in our AI product and service design, development, and deployment.
- We aim to use data and design AI products and services that are reliable, consistent, and socially responsible. We implement and maintain accountability measures for our use of data and our AI products and services.
- We make the use of data and AI in our products and services understandable. We use employee data to ensure a safe and inclusive work environment and to ensure employee compliance with regulations and company policies.
- You remain in total control of the AI features and can turn off them at any time.
How Thomson Reuters uses LLMs
LLMs are used under Thomson Reuters rules and guidance. We try to keep sensitive data out of LLM workflows, and when a use case might involve sensitive data, we escalate it for review by our Model Ethics Committee. We also built an internal LLM/AI tool for employees and encourage teams to use it when they build and improve products.
note
More details are available at Thomson Reuters AI Security Governance Whitepaper.
Thomson Reuters doesn't train generative AI models on User Content or User Prompts
Your User Content and User Prompts:
- Aren't used to train or improve CoCounsel Core v2.
- Aren't used to train or improve any 3rd party gen AI LLMs (OpenAI GPT or Google Gemini).
- Aren't used in output for another 3rd party or Thomson Reuters.
- Aren't stored by Open AI GPT or Google Gemini.
How Thomson Reuters uses User Content, User Prompts, Output, and Usage Information
Data Types | Improve the product | Train Gen Al models |
|---|---|---|
User Content | No | No |
User Prompts | No | No |
Usage Information | Yes | No |
Al Outputs | No | No |
Thomson Reuters ensures that User Content and User Input aren't trained in generative AI LLMs
Thomson Reuters has established contractual obligations, and where systemic, controls to turn off 3rd-party abuse monitoring solutions to prevent human access or inclusion in their models.
Thomson Reuters uses testing and product mechanisms to mitigate hallucinations
Thomson Reuters experts rigorously test CoCounsel skills. The product also uses a Thomson Reuters proprietary mechanism designed to reduce hallucinations.
Thomson Reuters uses de-identified usage information to improve CoCounsel Core
Thomson Reuters analyzes de-identified usage information to manage account health, capacity planning, and develop our product roadmap.
Penetration testing and certifications
The application successfully passed our penetration testing in 2025. We follow the Microsoft Privacy and Security for Office Add-ins requirements. We follow the Microsoft Privacy and Security for Office Add-ins requirements.