Release date: 15 May 2026 | Previous version: v26.3.0 (27 March 2026)
Scope: Aggregated changes across patches v26.3.1 through v26.3.13 and the v26.4.0 minor cut.
Features
Google Drive (gdrive) source — new connector
New gdrive source type end-to-end (collector, google-ingestion, api, client).
Automatic creation of Google service accounts directly from the app.
Discover Drives using an admin account; tag documents with native Google Drive labels.
Add Google Drive labels to policies for tagging and enforcement.
New DS_GoogleLabels and DS_Drive fields in the data index; new gdrive_labels and google_creds indices.
SharePoint / OneDrive custom column support
Read custom metadata columns during ingestion or validation (per-source setting).
Tag documents by custom metadata columns in the profiler.
New custom-column enforcement in SharePoint/OneDrive — fields custom_column_enabled, custom_column_name, custom_column_type, custom_column_value, custom_column_date_mode added to policies mapping.
custom_columns field added to azure_sites and azure_users indices.
EWS (Exchange on-premise) shared mailbox scanning
Added shared mailbox scanning to EWS on-premise sources.
New EWS service downloaders in the collector.
Business-hours throttling for EWS workloads.
CSV / Excel bulk management of owners
Download spreadsheets of custom creators, custom owners and Outlook mailboxes for all sources from Data Owners.
Upload creators / custom owners / Outlook mailboxes via CSV or Excel.
New API routes for fetching creators/custom owners/mailboxes per source and uploading custom owners per source.
Data Owners — permission & ownership visibility
Display full document permissions inside the Data Owner view.
New wrapper route to fetch document permissions directly from Microsoft Graph.
New wrapper route to fetch SharePoint site-group members.
Shared mailbox and owners columns added to OneDrive sources in Data Owners.
Disabled icon and tooltip for documents without access permissions.
Reporting & dashboard
New "ORPHAN" default tag automatically applied to report documents with no subscriber, and exposed in the default tag list.
"Show all" modal on the Risk per Department chart.
Class and Tag category filters added to Detailed View.
Global Dashboard Settings section (advanced filter limits, etc.) made tenant-wide.
Header UX overhaul: all icons consolidated into a new quick-access dropdown.
Secondary dashboard header redesigned — stats moved to quick-access, layout rearranged for more space.
Tagging engine
Sticky-tag support — new sticky_tag field on the tags mapping.
Filter by Notification ID in the Tag Builder.
Hashing of selected regex hits in the profiler for sensitive matches.
AI / Profiler
AI profiler now reloads dictionaries every 12 hours and false-positives every 5 minutes (no manual restart needed).
Sentence storage for dep-matcher findings (S_S_ label values) so they render in reports.
File handling
HEIC file preview support in the client.
New should_hash field on the algorithms index for hashed-match algorithms.
Changes
Data Owners performance & UX
Reworked / optimised document search and filtering in Data Owners.
Auto-expand folders up to 10 levels deep when searching; auto-expanded folders are no longer treated as manually expanded.
Fetch 40 rows per "Show more" click (was 20).
Various UX improvements in the multiselect component and the permissions modal.
Concurrent (not sequential) profile-picture fetching in the permissions modal.
Help text updates on custodian file upload for OneDrive and Outlook sources.
Policy & notification model
Notification settings split per source-type inside each policy.
SharePoint notification settings moved into policy settings (token validation, report querying, sendout and update flows all reworked accordingly).
Disable owners-sendout switches for SharePoint sources in policy settings.
Notification-settings section merged with Data Owners section in policy settings.
New skip_orphan_enforcement policy option (graph-enforcer, fileshare-service).
Custom owners model
Custom owners now stored consistently across SharePoint, OneDrive, Outlook and fileshare sources.
Manually-assigned creators and custom owners stored in the custom_owners index.
user_id, user_email and source_id now stored alongside each custom owner record.
Unified and reworked endpoints for updating creator IDs and custom owners.
Creator ID changes are propagated to children automatically in Data Owner view.
Analytics
Treat "outlook" and "outlook-service" source types as a single Outlook bucket.
Include Gmail accounts and Google Drives when counting accounts and drives.
SharePoint sites calculation in POST /statistics corrected.
Top 10 classes scoped per source in Data Owners (with extended chart palette).
Updated labels in monthly data-minimisation chart.
Reingestion & ingestion
Graph-ingestion now purges (instead of soft-deleting) documents missing during reingestion.
Request-reingestion data is processed before ingestion starts.
Reworked SharePoint permission access population during validation.
New way of reading and writing MIP labels in graph-ingestion.
Platform
Infrastructure: Flower added to all compose files with /flower route exposed on NGINX over VPN.
NGINX upgraded to 1.29.2 across all compose variants; build action for all NGINX variants fixed.
Removed all chat-related code from the client.
Removed unused fileshare_owners index and various unused CLI commands, tasks and routes.
Updated minor/patch versions of client dependencies; analytics dependencies updated.
IAM_SECRET env added to analytics for partner-driven theming and language selection.
Bugfixes
API
Fix permissions required for fetching source types in a policy.
Fix Azure groups not being scoped to company.
Fix azure users search and resolve issues in the orphan-update script.
Fix issues loading Azure users by selected group.
Fix scheduling issue when no groups are selected.
Fix source-type notification settings not working for new and existing policies.
Fix inconsistencies when updating creator IDs.
Fix mip_label tagging task.
Fix issue with updating custom owners in the data index and "marking" report folders via CSV updates.
Extend SharePoint sites results beyond 10,000 in Edit Source.
Ensure all documents in a policy receive notification info (alert added when they don't).
Client
Fix error when logging out without a login token.
Fix unauthorised routes breaking with a permission error.
Fix issues with Select All in source settings.
Fix issue with search/filtering folders in Data Owners.
Fix tab counts when tagging documents in a report.
Fix "Site Groups" missing names in the user permissions modal.
Fix runtime error in Settings.
Fix text highlighting in document preview.
Fix issue that made everything unclickable while a notification was being shown.
Fix help text in custodian file upload for OneDrive and Outlook sources.
Suppress profile-picture fetch errors.
Profiler / OCR
Fix OCR documents being profiled twice.
Fix some PDF files being treated as images.
Fix profiler crash when DS_Value is too large or Excel extraction fails.
Skip person extraction if no persons are found in the first 50 rows.
Ingestion services
EWS: fix PDF processing issues.
Graph-ingestion: fix Outlook reingestion process.
Graph-ingestion / graph-management / graph-enforcer: fix LocalDateTime serialization issues with Jackson 2.22.1 and Spring 4.
Analytics
Fix "emails by department" being limited to top 100.
Fix SharePoint sites calculation in POST /statistics.
Security hardening
Tenant isolation — Azure groups and Azure users now strictly scoped to the calling company (fixes a multi-tenant data-leak class).
Permission boundary — Unauthorised client routes no longer break with a generic permission error; explicit permission required on token-source endpoints.
Audit trail — custom_owners index now stores user_id, user_email and source_id; all custom owner / creator updates written to the audit log.
PII at rest — Selected regex hits are hashed in the profiler (new should_hash algorithm flag).
Attack-surface reduction — All chat-related code removed from the client; unused indices, routes and CLI commands cleaned up.
Dependency upgrades — Client minor/patch dependency updates; analytics deps updated; graph services migrated to Java 25 and Spring 4 with Jackson serialization patched.
Infrastructure — NGINX upgraded to 1.29.2; Flower management UI gated behind VPN-only route on NGINX.
Access visibility — Documents without access permissions are now flagged with a disabled icon and tooltip in Data Owners so reviewers can spot enforcement gaps.
Deployment notes
Run after deploying v26.4.0 (in order):
# Reindex custom owners (v26.3.13)
docker exec -it api flask --app=manage reindex custom_owners
# Update IAM permissions (added in 26.3.0 line, re-run safe)
docker exec -it dm-service-iam flask --app=manage update_permissionsElasticsearch mapping updates introduced during the 26.3.x line (apply only if not already applied):
PUT algorithms/_mapping
{ "properties": { "should_hash": { "type": "boolean" } } }
PUT tags/_mapping
{ "properties": { "sticky_tag": { "type": "boolean" } } }
PUT policies/_mapping
{
"properties": {
"custom_column_enabled": { "type": "boolean" },
"custom_column_name": { "type": "keyword" },
"custom_column_type": { "type": "keyword" },
"custom_column_value": { "type": "keyword" },
"custom_column_date_mode": { "type": "keyword" }
}
}
PUT azure_sites/_mapping
{ "properties": { "custom_columns": { "type": "keyword" } } }
PUT azure_users/_mapping
{ "properties": { "custom_columns": { "type": "keyword" } } }
PUT data/_mapping
{
"properties": {
"custom_metadata": {
"type": "nested",
"properties": {
"key": { "type": "keyword" },
"value": { "type": "keyword" }
}
}
}
}New environment variables introduced during 26.3.x:
GOOGLE_OAUTH_CLIENT_ID and GOOGLE_OAUTH_CLIENT_SECRET on the api service (Google Drive source).
IAM_SECRET on the analytics service (partner theming + language).
FLOWER_CELERY_BROKER_URL for the new Flower service.