We believe you should know exactly what access you're granting before you click "Authorize." This page documents every OAuth scope we request, what data we read, and what we never touch.
Every scope we request is read-only. SaaSGuardAI cannot modify, delete, or create anything in your Google Workspace. We scan configuration — we never change it.
We never see or store your Google password. Authentication uses Google's OAuth 2.0 flow — tokens are stored encrypted and can be revoked at any time from your Google Admin console.
We store scan results (scores, findings, timestamps). We do not store user lists, email contents, file contents, or any PII beyond the admin email used to connect.
You can disconnect your workspace at any time from the dashboard. Disconnecting removes all OAuth tokens immediately. You can also delete all scan history permanently.
When you connect your Google Workspace, we request these specific scopes. Each one is required for a specific set of security checks.
| Scope | Access Level | What It's Used For |
|---|---|---|
| admin.directory.user.readonly | Read-Only | List users to check MFA enrollment, identify dormant accounts, count admins vs super-admins. We read user status — never passwords or personal data. |
| admin.directory.group.readonly | Read-Only | Check group settings for external member access and open sharing. We verify groups aren't accidentally public. |
| admin.directory.device.mobile.readonly | Read-Only | Check mobile device management policies. We verify devices accessing your workspace have proper security controls. |
| admin.reports.audit.readonly | Read-Only | Read admin audit logs to verify logging is active and check for suspicious login patterns. We look at event metadata — not email content. |
| drive.readonly | Read-Only | Detect files shared publicly or externally. We check sharing permissions — we never read file contents. |
| gmail.readonly | Read-Only | Check email forwarding rules and legacy protocol settings (IMAP/POP). We read mail settings — we never read email messages. |
| userinfo.email + openid | Identity | Identify which admin connected the workspace. Used to create your account and associate your workspace. |
Go to your dashboard → Settings → Click "Disconnect Workspace." This immediately removes all stored OAuth tokens.
Visit Google Admin → Security → API Controls → Third-party apps, find SaaSGuardAI, and revoke access. This invalidates all tokens on Google's side.
From the dashboard, use "Delete All Data" to permanently remove all scan history, findings, and workspace configuration. This is irreversible.
Every finding SaaSGuardAI generates is tagged with relevant compliance framework controls:
This mapping helps you understand which compliance frameworks each finding impacts. SaaSGuardAI itself is not SOC 2 certified — we map your findings to these frameworks to support your compliance program.
If you have security questions or want to discuss our practices, reach out.
Contact Us →