Security & Privacy

Our Security Model

We built Workspace Guard around three principles: access only what's necessary, store only what's needed, and protect everything we touch.

Read-Only Access

All API scopes are read-only. We cannot modify, delete, or create anything in your workspace.

Data Minimization

We store aggregated findings, not raw data. API responses are processed in memory and discarded.

Encryption at Rest

All stored data is encrypted. Sensitive fields use application-level encryption with isolated keys.

What We Never Access

Before explaining what we do access, here's what's completely outside our scope. These aren't just things we choose not to store—they're things our API scopes cannot access at all.

Email content
We cannot read Gmail messages or drafts
Document content
We cannot read text in Docs, Sheets, or Slides
File contents
We cannot download or view any file data

Calendar events
Meeting titles, attendees, and details are invisible to us
Chat messages
Google Chat and Meet conversations are not accessible
Passwords or credentials
User passwords and security keys are never exposed

How We Protect Data

Protection starts with minimization—not storing what we don't need. What we do store is encrypted at multiple layers.

1Data Minimization (Primary Defense)

Raw API responses from Google are processed in memory and immediately discarded. We extract only the metadata needed for security analysis:

User metadata: MFA status, admin roles, last login (not names or photos)
OAuth apps: App names and scopes (not user-specific tokens)
File exposure: Sharing settings and external domains (not file contents)

2Transport Encryption

All data in transit uses TLS 1.3. This includes API calls to Google, communication between our services, and your browser connection to our dashboard.

3Storage Encryption (AES-256)

Our database uses AES-256 encryption at rest, managed by our cloud provider's KMS (Key Management Service). This protects against physical disk access.

4Application-Level Encryption (Sensitive Fields)

Sensitive fields like service account credentials use envelope encryption: each field has its own data key, and that key is encrypted with a master key. This limits blast radius—a compromised record doesn't expose other records.

Technical details:

Algorithm: AES-256-GCM (authenticated encryption)
Key derivation: scrypt from master secret
Per-field random IVs prevent pattern analysis
Version byte enables future key rotation

API Permissions We Request

We use four read-only Google API scopes. Each enables a specific audit capability.

Admin Directory - Users

admin.directory.user.readonly

Enables: MFA enrollment check, admin role detection, dormant account identification

Admin Directory - Domains

admin.directory.domain.readonly

Enables: Distinguishing internal vs external sharing in file exposure analysis

Admin Reports - Audit

admin.reports.audit.readonly

Enables: OAuth app inventory from token grant events, identifying third-party application risks

Drive - Metadata Only

drive.metadata.readonly

Enables: File sharing analysis (public links, external shares) without accessing file contents

About Domain-Wide Delegation

To audit your entire workspace, we use Google's domain-wide delegation feature. This allows our service account to access metadata across all users—necessary for comprehensive security visibility.

Why It's Required

Without domain-wide delegation, we could only see data for one admin account, missing visibility into other users' OAuth apps, MFA status, and file sharing.

Comprehensive auditing requires seeing the full picture—that's the value we provide.

How We Limit Exposure

Only read-only scopes—we cannot modify anything
Credentials encrypted with envelope encryption
Raw API data processed in memory, then discarded
All access logged (visible in your Admin Console)

You Control Access

You can revoke our access at any time from your Google Admin Console under Security → API Controls → Domain-wide delegation. Revocation is immediate.

Our API activity appears in your audit logs under Reports → Audit → Token events, so you have full visibility into what we access.

What We Store

We store aggregated security findings—the results of our analysis, not the raw data.

Stored

Risk scores and security grades
Aggregate statistics (user counts, MFA percentages)
Finding categories and counts
Historical trends (for continuous monitoring)
Your account and subscription info
Encrypted service account credentials

Not Stored

Raw API responses from Google
Full file inventories or contents
Email addresses (beyond what's needed for findings)
OAuth tokens or user credentials
Calendar, email, or chat data
Anything we don't need for security auditing

Your Controls

Revoke Access

Remove our access at any time via Google Admin Console:

Go to Security → API Controls
Find Domain-wide delegation
Locate Workspace Guard's service account
Click Delete

Delete Your Data

Request complete data deletion:

Email privacy@workspaceguard.com
We process within 30 days
Backups purged within 90 days
You'll receive confirmation

Export Your Data

Download your scan results and findings anytime from your dashboard. PDF and CSV exports available for all reports.

Monitor Our Access

View our API activity in your Google Admin Console under Reports → Audit → Token events. All our access is logged with timestamps.

Compliance

SOC 2 Ready

Architecture designed for SOC 2 Type II compliance across security, availability, and confidentiality trust principles.

GDPR Compliant

Data minimization, purpose limitation, right to access, and right to deletion built into our architecture.

Privacy by Design

Minimization first: we collect only what's needed, store only summaries, and make deletion straightforward.

Questions About Our Security Model?

We're happy to discuss our approach in detail. Reach out for a security review call or to request additional documentation.