Can SafeRedact process files exported from Microsoft Purview eDiscovery?

Yes. SafeRedact accepts the ZIP archives produced by Purview eDiscovery exports and processes all contained file types including EML, MSG, HTML Teams transcripts, CSV, TXT, and Office documents.

Does SafeRedact distinguish between the data subject and third parties?

Yes. You configure the data subject's identifying information before processing. SafeRedact preserves the subject's data while redacting personal information belonging to other individuals in the export.

How long does it take to redact a large DSAR export?

Processing time depends on volume. SafeRedact reduces what would take weeks of manual review to hours of automated processing. A 20,000-file export that might require 500+ hours of manual labor can be processed in a single session, typically completing in a few hours rather than weeks.

DSAR Redaction for Microsoft 365 Exports

Microsoft 365 DSAR Series

DSAR Redaction for Microsoft 365 Exports Office 365 DSAR Response Guide Teams Chat & Transcript Redaction Exchange Email DSAR Redaction SharePoint & OneDrive DSAR Redaction Purview eDiscovery Exports DSAR Redaction Overview DSAR Redaction Cost

The Gap Between Discovery and Delivery

Organizations running Microsoft 365 have access to powerful tools for finding personal data. Purview eDiscovery can search across Exchange mailboxes, SharePoint sites, OneDrive accounts, and Teams conversations. Content Search can surface documents matching specific identifiers. These tools solve the discovery problem. What they do not solve is the redaction problem — the final step where exported data must be stripped of third-party personal information before it can be delivered to the data subject.

Under GDPR Article 15(4), the right to receive a copy of personal data must not adversely affect the rights and freedoms of others. Under CCPA, organizations must deliver personal information without disclosing data belonging to other consumers. This means every email thread containing colleagues' names, every Teams chat referencing a client's phone number, every shared spreadsheet with another employee's address — all of it requires redaction before the DSAR response package leaves your organization.

This is where most DSAR workflows break down. The export from Purview might contain 10,000 to 50,000 files. Manual review at that scale requires weeks of skilled labor, creates inconsistent results, and regularly misses embedded PII in metadata, email signatures, CC fields, and nested attachments. The average manual DSAR costs approximately $1,524 to fulfill — and that figure assumes no rework from missed detections.

What Comes Out of a Microsoft 365 DSAR Export

Understanding the export formats is essential for planning your redaction workflow. When you run a Purview eDiscovery search and export the results, the output varies by source application.

Exchange Online and Outlook

Email messages export as PST files or individual MSG files. Each message contains header metadata (sender, recipients, CC, BCC, timestamps), body content, and embedded or attached files. Signatures often contain phone numbers, physical addresses, and job titles for both the sender and other parties in the thread. Forwarded chains can contain dozens of email addresses belonging to people other than the data subject.

Teams Conversations

Teams chats and channel messages export as HTML files with structured metadata. These transcripts contain participant names, timestamps, and full message content. A single channel conversation might reference 15 or 20 different people, each of whom has personal data that must be redacted before the transcript is disclosed to the data subject.

SharePoint and OneDrive

Documents export in their native formats — DOCX, XLSX, PPTX, PDF, and others. These files can contain personal data in visible content, tracked changes, comments, document properties, and embedded metadata. SafeRedact processes DOCX, XLSX, PDF, CSV, TXT, and HTML files from these exports directly. PPTX files should be converted to PDF before processing. SharePoint list exports arrive as CSV files, where personal data may appear in any column. OneDrive files include the same range of formats, plus any content the user synced from shared team sites.

Other M365 Services

Depending on your tenant configuration, exports may also include data from Planner (task assignments and comments), Forms (survey responses with respondent details), Viva Engage posts, Bookings appointment records, and To Do items synced to Exchange. Each source introduces its own file formats and PII patterns that require attention during redaction.

Why Built-In Tools Fall Short

Microsoft Purview includes some manual redaction capabilities, but these are designed for individual document review in eDiscovery litigation workflows — not for bulk DSAR processing. A legal team reviewing documents one at a time for privilege is a fundamentally different operation from a DPO who needs to redact third-party PII across 20,000 files within a 30-day deadline.

The core limitations are threefold. First, there is no bulk automation — each file must be opened, reviewed, and redacted individually. Second, the redaction tools are not designed to distinguish between the data subject's personal data (which must be preserved) and third-party personal data (which must be removed). Third, there is no specialized handling for common M365 formats like Teams HTML transcripts, where participant data is embedded in the HTML structure itself.

The bottom line: Microsoft built world-class tools for finding data. SafeRedact picks up where those tools stop — automating the redaction of exported files so they are safe to deliver to the data subject.

How SafeRedact Processes M365 Exports

SafeRedact is purpose-built for the specific problem that Microsoft's tools leave unresolved. The workflow integrates directly with the output of Purview eDiscovery exports.

Step 1: Export from Purview

Run your eDiscovery search in Purview using the data subject's identifiers — email address, employee ID, name, or other personal attributes. Export the results as a ZIP archive. No changes to your existing Purview workflow are required.

Step 2: Upload to SafeRedact

Upload the export ZIP directly into SafeRedact's enterprise platform. The system preserves the original folder structure while inventorying all contained files by type and size. There is no need to manually extract, sort, or pre-process the archive.

Step 3: Configure DSAR Subject

Enter the data subject's identifying information — name, email addresses, phone numbers, employee ID. SafeRedact uses this to distinguish between the subject's data (preserved) and third-party data (redacted). This is the critical step that generic redaction tools cannot perform.

Step 4: Automated Detection and Redaction

SafeRedact processes every file through a multi-layer detection engine. Regular expressions catch structured identifiers like national insurance numbers, phone numbers, email addresses, and postcodes. AI analysis identifies names, physical addresses, salary figures, and contextual personal data that patterns alone would miss. Each detection is tagged with its type and confidence level.

Step 5: Review and Deliver

Review the redacted files through SafeRedact's interface, with each detection highlighted for verification. Adjust any false positives or missed items before downloading the complete redacted export package. The result is a set of redacted plaintext files — each with PII replaced by category markers like [NAME], [EMAIL], [PHONE] — packaged as a ZIP with an audit trail CSV. This clean text format ensures no hidden data survives the redaction process and provides a reviewable, deliverable response that complies with Article 15(4) obligations.

Ready to automate your DSAR redaction?

Process thousands of files in minutes instead of weeks.

Enterprise Solutions Try Free

Supported File Types

SafeRedact handles the most common file types produced by M365 DSAR exports. Email messages in EML format are parsed to extract headers (From, To, CC, BCC, Subject) and body content. MSG files are processed via binary string extraction to recover message text and metadata. Teams HTML transcripts are processed with a dedicated parser that understands the conversation structure and participant references. CSV files from SharePoint list exports are analyzed cell by cell with column headers prepended for context. Plain text and JSON files are scanned with the same multi-layer detection pipeline. PDF files are processed via embedded text extraction. DOCX and XLSX files are supported through text and cell extraction respectively.

For Office documents, SafeRedact extracts and analyzes text content — DOCX files via body text extraction, XLSX files via cell-by-cell analysis across all worksheets, and PDF files via embedded text layer parsing. The system does not currently process PPTX files; organizations should convert presentations to PDF before upload if they are part of the export.

Compliance and Audit Trail

Every DSAR response should be defensible. SafeRedact generates a detailed processing log for each export, documenting the number of files processed, detections by category, redaction actions taken, and any files flagged for manual review. This audit trail provides the evidence that regulators expect when they examine how your organization fulfilled a data subject request.

The platform's detection categories align directly with the PII types that data protection authorities scrutinize most closely: names, email addresses, phone numbers, national identity numbers, financial details, physical addresses, and dates of birth. Each category is reported separately in the processing summary, giving your DPO a clear picture of what was found and what was redacted.

Microsoft 365 DSAR Series

Microsoft, Microsoft 365, Office 365, Teams, SharePoint, Exchange Online, OneDrive, Outlook, and Purview are trademarks of Microsoft Corporation. SafeRedact is not affiliated with or endorsed by Microsoft.