Google Workspace Security Audit FAQ

We request four read-only API scopes: Admin Directory User (read-only), Admin Directory Domain (read-only), Admin Reports Audit (read-only), and Drive Metadata (read-only). These allow us to audit user accounts, MFA status, OAuth apps, and file sharing settings. We cannot modify, create, or delete any data in your workspace.

No. We only access metadata—information about files (names, owners, sharing settings) and emails (audit logs showing OAuth grants), but never the actual content. We use the drive.metadata.readonly scope specifically to prevent any file content access.

We store aggregated security findings and risk scores—summary statistics like "X users without MFA" or "Y files shared externally." Raw API responses are processed in memory and discarded. We don't persist individual user details, file inventories, or any content from your workspace.

You can revoke access at any time from your Google Admin Console. Go to Security > API Controls > Domain-wide delegation, find Workspace Guard's service account, and click Delete. This immediately revokes all access to your workspace.

Yes. All data is encrypted in transit (TLS 1.3) and at rest (AES-256). We use SOC 2 certified cloud infrastructure, implement least-privilege access controls, and maintain comprehensive audit logs. Our architecture is designed to meet SOC 2 Type II requirements.

Domain-wide delegation is a Google Workspace feature that allows a service account to access data across your entire organization. This is required for comprehensive security auditing—we need visibility into all users and files to identify risks. The scopes we request are strictly read-only.

Domain-wide delegation is a significant trust decision that grants access to metadata across your workspace. While we only use read-only scopes and cannot modify your data, you are trusting us with visibility into user accounts, file sharing settings, and OAuth applications. We encourage you to review our security documentation, verify scopes in your Admin Console, and only proceed if you're comfortable with this trade-off. You can revoke access at any time.

In a breach scenario, an attacker could potentially access the same metadata we access—user email addresses, file names, sharing configurations, and OAuth app details. They could NOT access email content, file contents, or modify any data. We mitigate this risk through encrypted credential storage, comprehensive access logging, minimal data retention (we don't store raw API data), and security monitoring. We maintain an incident response plan and would notify affected customers within 72 hours of confirmed breach.

Domain-wide delegation is required for comprehensive auditing across all users. Without it, you'd only see data for the specific admin account that authorizes access, missing visibility into other users' OAuth apps and file sharing. For organizations not comfortable with domain-wide delegation, Google Workspace's built-in Admin Console and Reports provide some audit capabilities, though with less depth and no automated risk scoring.

For most organizations, we recommend at minimum quarterly security audits. However, continuous monitoring (daily scans) catches issues faster—new risky OAuth apps, users disabling MFA, or files becoming externally shared. Our Continuous Protection plan provides daily automated scans with real-time alerts for significant security changes.

The free Security Snapshot gives you a one-time comprehensive audit across all three pillars: identity security, OAuth applications, and data exposure. You get full risk scoring and a PDF report with recommendations. It's limited to a single scan—for ongoing monitoring, upgrade to Continuous Protection.

Continuous Protection includes daily automated scans, real-time security alerts, full dashboards, trend analysis over time, scheduled email reports, and priority support. It covers unlimited users in a single workspace.

Yes. For multiple workspaces, custom integrations, dedicated support, or specific compliance requirements, contact us for enterprise pricing. We can accommodate custom deployment options and SLAs.

Initial scans typically complete within minutes for small workspaces (under 100 users) and 15-30 minutes for larger organizations. Subsequent scans are often faster due to incremental processing.

Yes. Contact us at privacy@workspaceguard.com to request complete data deletion. We process deletion requests within 30 days, and backup data is purged within 90 days. You'll receive confirmation when deletion is complete.

Yes. We comply with GDPR requirements including data minimization, purpose limitation, right to access, and right to deletion. We only collect data necessary for the security audit, process it for the stated purpose, and provide mechanisms for data export and deletion.

Workspace Guard works with all Google Workspace editions: Business Starter, Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, and legacy G Suite editions. Some features may vary based on APIs available in your edition.

Yes. Setting up domain-wide delegation requires super admin privileges in Google Workspace. Once configured, the scan runs using service account credentials, so ongoing operation doesn't require keeping the super admin session active.

We identify OAuth apps that users have authorized, including unverified third-party apps that may pose security risks. We flag apps by verification status, scope sensitivity, and user adoption, helping you identify and address shadow IT risks.